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Abstract 



The mathematical framework of Stone duahty is used to synthesize a number 
of hitherto separate developments in Theoretical Computer Science: 

• Domain Theory, the mathematical theory of computation introduced 
by Scott foundation for dcnotational semantics. 

• The theory of concurrency and systems behaviour developed by Milner, 
Hennessy et al. based on operational semantics. 

• Logics of programs. 

Stone duality provides a junction between semantics (spaces of points = 
denotations of computational processes) and logics (lattices of properties of 
processes). Moreover, the underlying logic is geometric, which can be com- 
putationally interpreted as the logic of observable properties — i.e. properties 
which can be determined to hold of a process on the basis of a finite amount 
of information about its execution. 

These ideas lead to the following programme: 

1. A metalanguage is introduced, comprising 

• types = universes of discourse for various computational situa- 
tions. 

• terms = programs = syntactic intensions for models or points. 

2. A standard dcnotational interpretation of the metalanguage is given, 
assigning domains to types and domain elements to terms. 

3. The metalanguage is also given a logical interpretation, in which types 
are interpreted as propositional theories and terms are interpreted via 
a program logic, which axiomatizes the properties they satisfy. 
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4. The two interpretations are related by showing that they are Stone 
duals of each other. Hence, semantics and logic are guaranteed to be 
in harmony with each other, and in fact each determines the other up 
to isomorphism. 

5. This opens the way to a whole range of applications. Given a denota- 
tional description of a computational situation in our meta-language, 
we can turn the handle to obtain a logic for that situation. 

Organization 

Chapter 1 is an introduction and overview. Chapter 2 gives some back- 
ground on domains and locales. Chapters 3 and 4 are concerned with 1-4 
above. Chapters 5 and 6 each develop a major case study along the lines sug- 
gested by 5, in the areas of concurrency and A-calculus respectively. Finally, 
Chapter 7 discusses directions for further research. 
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Chapter 1 
Introduction 



The main aim of this thesis is to synthesize a number of hitherto separate 
developments in Theoretical Computer Science and Logic: 

• Domain Theory, the mathematical theory of computation introduced 
by Scott as a foundation for denotational semantics. 

• The theory of concurrency and systems behaviour developed by Milner, 
Hennessy et al. based on operational semantics. 

• Logics of programs. 

• Locale Theory. 

The key to our synthesis is the mathematical theory of Stone duality, which 
provides a junction between semantics (topological spaces) and the logic of 
observable properties (locales). As a worked example, we show how Domain 
Theory can be construed as a logic of observable properties; and explore some 
applications to the study of programming languages. 

1.1 Background 

Domain Theory has been extensively studied since it was introduced by Scott 
|Sco70] . both as regards the basic mathematical theory |Plo81] . and the ap- 
plications, particularly in denotational semantics |MS76] . |Sto77] . |Gor79] . 
|Sch86] ■ and more recently in static program analysis |Myc81| , |Nie84] . |AH87] . 
In the course of this development, a number of new perspectives have emerged. 
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Syntax vs. Semantics 

Domain theory was originally presented as a model theory for computation, 
and this aspect was emphasised in [ScoTOj IScoSOa] . However, the effective 
character of domain constructions was immediately evident, and made fully 
explicit in |EC76[ [5"co76HSmy77[ IKan79] . Moreover, in recent presentations of 



domains via neighbourhood systems and information systems |Sco8H ISco82j , 
Scott has shown how the theory can be based on elementary, and finitary, 
set-theoretic representations, which in the case of information systems are 
deliberately suggestive of proof theory. 

A further step towards explicitly syntactic presentations of domain theory 
was taken by Martin-Lof, in his Domain Interpretation of Intuitionistic Type 
Theory |Mar83j . His formulation also traces a line of descent from Kreisel's 
definition of the continuous functionals |Kre59] . via |Mar70t IErs72] . 

The general tendency of these developments is to suggest that domains 
may as well be viewed in terms of theories as of models. Our work should 
not only confirm this suggestion, but also show how it may be put to use. 

Points vs. Properties 

An important recent development in mathematics has been the rise of locale 
theory, or "topology without points" |Joh82] . in which the open-set lattices 
rather than the spaces of points become the primary objects of study. That 
these mathematical developments have direct bearing on Computer Science 
was emphasised by Smyth in |Smy83b| . If we think of the open sets as prop- 
erties or propositions, we can think of spaces as logical theories; continuous 
maps act on these theories under inverse image as predicate transformers in 
the sense of Dijkstra |Dij76] , or modal operators as studied in dynamic logic 
|Pra81l[Hi?79] . 

There is also an important theme in Computer Science which emerges as 
confluent with these mathematical developments; namely, the use of notions 
of observation and experiment as a basis for the behavioural semantics of 
systems. This plays a major role in the work of Milner, Hennessy et al. on 
concurrent systems |Mil80t IHM85[ IWin80] , and also in the theory of higher- 



order functional languages, e.g. |Plo77l IMil77l IBC851 IBCL85j . The leading 
idea here is to take some notion of observable event or experiment as an "in- 
formation quantum" , and to construct the meaning of a system out of its 
information quanta. This corresponds to the leading idea of locale theory, 
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that "points" are nothing but constructions out of properties. By exploiting 
this correspondence, we may hope to obtain a rapprochement between do- 
main theory and denotational semantics, on the one hand, and operationally 
formulated notions such as observation equivalence |HM85] on the other. 

Denotational vs. Axiomatic 

Another area in programming language theory which has received intensive 
development over the past 15 years has been logics of programs, e.g. Hoare 
logic |Hoa69l IdBSOj . dynamic logic [PraSlt IHar79] . temporal logic |Pnu77j . 
etc. However, to date there has not been a satisfactory integration of this 
work with domain theory. For example, dynamic logic deals with sets and 
relations, which from the perspective of domain theory corresponds only to 
an extremely naive and restricted fragment of programming language se- 
mantics. One would like to see a dynamic logic of domains and continuous 
functions, which would encompass higher-order functions, quasi-infinite (or 
"lazy" ) data structures, self-application, non-determinism, and all the other 
computational phenomena for which domain theory provides a mathematical 
foundation. 

The key mathematical idea which forms the basis of our attempt to draw 
all these diverse strands together is Stone Duality, which we now briefly 
review; a fuller discussion will be found in Chapter 2. 

1.2 Overview: Stone Duality 

The classic Stone Representation Theorem for Boolean algebras |Sto36j is 
aimed at solving the following problem: 

show that every (abstract) Boolean algebra can be represented as 
a field of sets, in which the operations of meet, join and comple- 
ment are represented by intersection, union and set complement. 

Stone's solution to the problem begins with observation that for any topo- 
logical space X, the lattice Clop X of clopen subsets of X forms a field of 
sets. His radical step was to construct, from any Boolean lagebra B, a topo- 
logical space Spec B. To understand the construction, think of B as (the 
Lindenbaum algebra of) a classical propositional theory. The elements of 
B are thus to be thought of as (equivalence classes of) formulae, and the 
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operations as logical conjunction, disjunction and negation. Now a model of 
B is an assignment of "truth-values" or 1 to elements of B, in a manner 
consistent with the logical structure; e.g. so that -ib is assigned 1 if and only 
if b is assigned 0. In short, a model is a Boolean algebra homomorphism 
/ : i? — )■ 2, where 2 = {0, 1} is the two-element lattice. Identifying such 
an / with C B, which as is well-known is an ultrafilter over B (see 

e.g. |Joh82] ). we can take Spec B as the set of ultrafilters over B, with the 
topology generated by 

Ua = {xe Spec B : a e x} (a G B). 

The spaces arising as Spec B for Boolean algebras B in this way were char- 
acterised by Stone as the totally disconnected compact Hausdorff spaces 
(subsequently named Stone spaces in his honour). Moreover, we have the 
isomorphisms 

5 = Clop Spec 5 (1.1) 
b {x E Spec B : b E x} 

5^ Spec Clop S (1.2) 

s^{U E Clop S -.seU}. 

The first of these isomorphisms solves the representation problem, and com- 
prises Stone's Theorem in its classical form. But we can go further; these 
correspondences also extend (contravariantly) to morphisms: 

S A<^ B 

Clop S ^ Clop T Spec A A Spec B 

where 

h : X i-^ {b E B : h*b E x}. 

In modern terminology, this yields a duality (= contravariant equivalence of 
categories) : 

Stone ~ Bool°P. 
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This is the prototype for a whole family of "Stone-type duality theorems", 
and leads to locale theory, as "pointless topology" or junior-grade (proposi- 
tional) topos theory. (An excellent reference for these topics is |Joh82 ]). 

But what has all this to do with Computer Science? Two interpretations 
of Stone duality can be found in the existing literature from mathematics 
and logic: 

• The topological view: Points vs. Open sets. 

• The logical view: Models vs. Formulas. 
We wish to add a third interpretation: 

• The Computer Science view: (Denotations of) computational processes 
vs. (extensions of) specifications. 

The importance of Stone duality for Computer Science is that it provides the 
right framework for understanding the relationship between denotational se- 
mantics and program logic. The fundamental logical relationship of program 
development is 

to be read "P satisfies 0", where P is a program (a syntactic description 
of a computational process), and is a formula (a syntactic description of 
a property of computations). Thus P is the "how" and the "what" in 
the dichotomy standardly used to explain the distinction between programs 
and specifications. We can easily describe the main formal activities of the 
program development process in terms of this relation: 

• Program specification is the task of defining (a list of) properties to 
be satisfied by the program. 

• Program synthesis is the task of finding P given (a list of) 0. 

• Program verification is the task of proving that P |= 0. 

The two sides of Stone duality — the spatial and the logical or localic — yield 
alternative but equivalent perspectives on this fundamental relationship: 
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• The spatial side of the duality, where points are taken as primary, prop- 
erties are constructed as (open) sets of points, and the fundamental re- 
lationship is interpreted as s G t/ (s a point, U a property), corresponds 
to denotational semantics, where the data domains (i.e. the types) of 
a programming language are interpreted as spaces of points, and pro- 
grams are given denotations as points in these spaces; this denotational 
perspective yields a topological interpretation of program logic. 

• The logical or locahc side of the duality, where properties, as elements 
of an abstract (logical) lattice, are taken as primary, and points are 
constructed as sets (prime filters) of properties, with the fundamental 
relationship interpreted as a G x (a a property, x a point), corresponds 
to program logic, and yields a logical interpretation of denotational 
semantics. The idea is that the structure of the open-set lattices and 
prime filters are presented syntactically, via axioms and inference rules, 
as a formal system. 

We extract the following concrete research programme from these general 
perspectives on Stone duality: 

1. A metalanguage is introduced, comprising 

• types = data domains = universes of discourse for various com- 
putational situations. 

• terms = programs = syntactic intensions for models or points. 

2. A standard denotational interpretation of the metalanguage, assigning 
domains to types and domain elements to terms, can be given using 
the spatial side of Stone duality. 

3. The metalanguage is also given a logical interpretation, in which the 
localic side of the duality is presented as a formal system with axioms 
and inference rules. Each type is interpreted as a propositional theory; 
and terms are interpreted by axiomatising the satisfaction relation P |= 
(f). This gives a program logic. 

4. The denotational semantics from 2 and the program logic from 3 are 
related by showing that they are Stone duals of each other — a strength- 
ened form of the logician's "Soundness and Completeness" . As a con- 
sequence of this, semantics and logic are guaranteed to be in harmony 
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with each other, and in fact each determines the other up to isomor- 
phism. 

5. The framework developed in 1-4 is very general. The metalanguage 
can be used to describe a wide variety of computational situations, fol- 
lowing the ideas of "classical" denotational semantics. Given such a 
description, wc can turn the handle to obtain a logic for that situa- 
tion. This offers two exciting prospects: of replacing ad hoc ingenuity 
in the design of program logics to match a given semantics by the rou- 
tine application of systematic general theory; and of bringing hitherto 
divergent fields of programming language theory (e.g. A-calculus and 
concurrency) within the scope of a single unified framework. 

The main objective of this thesis is to elaborate the programme outlined 
in 1-5. Chapter 2 is devoted to filling in some background on domains and 
locales. Then Chapters 3 and 4 are concerned with 1-4 above. Chapters 5 
and 6 each develop a major case study along the lines suggested by 5, in the 
areas of concurrency and A-calculus respectively. Finally, Chapter 7 discusses 
directions for further research. 
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Chapter 2 



Background: Domains and 
Locales 

The purpose of this Chapter is to summarise what we assume, to fix notation, 
and to review some basic definitions and results. 

2.1 Notation 

Most of the notation from elementary set theory and logic which we will 
use is standard and should cause no problems to the reader. We shall use 
= for definitional equality; thus M = N means "the expression M is by 
definition equal to" (or just: "is defined to be") "A^". We shall use uj to 
denote the natural numbers {0, 1, . . .} (thought of sometimes as an ordinal, 
and sometimes as just a set); and N to denote the set of positive integers 
{1, 2, . . .}. Given a set X, we write pX for the powerset of X, pfX for the 
set of finite subsets of X, and pfneX for the finite non-empty subsets. We 
write X (If Y for "X is a finite subset of Y" . 

We write substitution of N for x in M, where M, N are expressions 
and X is a variable, as M[N/x]. We shall assume the usual notions of free 
and bound variables, as expounded e.g. in |Bar84] . We shall always take 
expressions modulo a-conversion, and treat substitution as a total operation 
in which variable capture is avoided by suitable renaming of bound variables. 

Our notations for semantics will follow those standardly used in deno- 
tational semantics. One operation we will frequently need is updating of 
environments. Let Env = Var — )■ V, where Var is a set of variables, and V 
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some value space. Then for p G Env, x G Var, t> G V, the expression p[x ^ v] 
denotes the environment defined by 



(p[x f-^ v])y 



V, X = y 
py, otherwise. 



Next, we recall some notions concerning posets (partially ordered sets). 
Given a poset P and X C P, we write 



i{X) = 
t(X) = 
Con(X) = 



{y e P -.^x e 
{y e P -.^x e 

{y E P : 3x, z 



X.y<x} 
X.x<y} 
e X.x < y < z] 



We write for ^({a;}), t({a;})- A set X is left-closed (or lower- closed) 

if X = \-{X), right-closed (or upper-closed) if X = t(^)) ^^id convex- closed \i 
X = Con(X). When it is important to emphasise P we write lp{X), tp(^) 
etc. We also have the lower, upper and Egli-Milner preorders (refiexive and 
transitive relations) on subsets of P: 



X HiY = yx e X.3y eY.x <y 
X ^uY = \/y eY.3x e X.x <y 



We write 2 for the two-element lattice {0, 1} with < 1, and O for Sierpinski 
space, which has the same carrier as 2, and topology {0, {1}, {0, 1}}. As we 
shall see in the section on domains and locales, 2 and O are really two faces 
of the same structure (a "schizophrenic object" in the terminology of |Joh82t 
Chapter 6]), since O arises from the Scott topology on 2, and 2 from the 
specialisation order on O. For other basic notions of the theory of partial 
orders and lattices, we refer to |GHK*80| IJoh82] . 

Finally, we shall assume a modicum of familiarity with elementary cate- 
gory theory and general topology; suitable references are |ML71j and |Dug66 
respectively. 
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2.2 Domains 



We shall assume some familiarity with |Plo81] , and use it as our reference for 
Domain theory. We shall not review such basic definitions as cpo (complete 
partial order — [PloSll Chapter 1 p. 7]), continuous function {loc. cit.) etc. 
here. 

By a category of domains we shall mean a sub-category of CPO, the cat- 
egory of complete partial orders and continuous functions {loc. cit.). CPO_l 
is the category of strict functions ( [PloSll Chapter 1 p. 11]). 

The properties of CPO which make it a suitable mathematical uni- 
verse for denotational semantics — a "tool for making meanings" in Plotkin's 
phrase — are: 

1. It admits recursive definitions, both of elements of domains, and of 
domains themselves. 

2. It supports a rich type structure. 

The mathematical content of (1) is given by the least fixed point theorem 
for continuous functions on cpo's ( |Plo81l Chapter 1 Theorem 1]), and the 
initial fixed point theorem for continuous functors on CPO ( |Plo81t Chapter 
5 Theorem 1]). As for (2), the type constructions available over CPO are 
extensively surveyed in |Plo81l Chapters 2 and 3]. In order to fix notation, 
we shall catalogue the constructions of which mention will be made in this 
thesis, with references to the definitions in jPlo81]: 



Ax B 


product 


Ch. 


2 


P- 


2 




function space 


Ch. 


2 


P- 


9 


A®B 


coalesced sum 


Ch. 


3 


P- 


6 


(Ah 


lifting 


Ch. 


3 


P- 


9 


{A B) 


strict function space 


Ch. 


1 


P- 


13 


PiA 


lower (Hoare) powerdomain 


Ch. 


8 


P- 


14 


PuA 


upper (Smyth) powerdomain 


Ch. 


8 


P- 


45 


PpA 


convex (Plotkin) powerdomain 


Ch. 


8 


P- 


28 



(Note that separated sum A + B can be defined by: A + B = {A)± © (-B)_l.) 
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In this thesis, we shall mainly be concerned with algebraic domains, i.e. 
sub-categories of uALG, the category of w-algebraic cpo's |Plo81t Chapter 
6 p. 2]. In particular, we shall be concerned with the following three full 
sub-categories of uALG: 

1. AlgLat: the category of w-algebraic lattices |Plo81t Chapter 6 p. 13]. 

2. SDom: the category of Scott domains, i.e. the consistently complete 
w-algebraic cpo's {loc. cit.). (The name comes from the fact that this 
is exactly the category presented in |Sco81t ISco82j .) 

3. SFP: the category of strongly algebraic cpo's |Plo81t Chapter 6 p. 17]. 
The name is an acronym for "Sequences of Finite Posets" — in more 
standard terminology, these are the w-profinite cpo's. This category 
was introduced in |Plo76] . 

Each of these categories is a full sub-category of the next. 

The justification for studying these categories comes from the fact that 
SFP is closed under all the type constructions listed above, while SDom 
is closed under all but the Plotkin powerdomain. In particular, both are 
cartesian closed; indeed, SFP is the largest cartesian closed full sub-category 
of wALG |Smy83a| , while SDom is the largest "basis elementary" such 
sub-category |Gun86] . Moreover, both categories admit initial solutions 
of domain equations built from these constructions (obviously excluding 
the Plotkin powerdomain in the case of SDom). Almost all the domains 
needed in denotational semantics to date can be defined from these con- 
structions by composition and recursion (some exceptions of three different 
kinds: |Abr83b] . |01e85] . |Plo82] ). The reason for including AlgLat is that 
it is a usefully simpler special case, which will be applicable to our work in 
Chapter 6. 

Given an algebraic domain D, we shall write /C(-D) for its basis, i.e. the 
sub-poset of finite elements. Now algebraic domains are freely constructed 
from their bases, i.e. 

D = \d\{}C{D)) 

where Idl is the ideal completion described in |Plo81t Chapter 6 p. 5]. Thus 
we can in fact completely describe such categories as SDom and SFP in 
an elementary fashion in terms of the bases; various ways of doing this for 
SDom are presented in |Sco8H ISco82j . 
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An important part of this programme is to describe the type constructions 
hsted above in terms of their effect on the bases. We shall fix some concrete 
definitions of the constructions for use in later chapters. 

• IC{A X B) = }C{A) X }C{B); the ordering is component-wise. 

• /C(A©5) = /C(A)©/C(5), i.e. 

{±} U ({0} X (/C(A) - {±^})) U ({1} X {JC{B) - {U})) 

with the ordering defined by 

X ^ y = X = -L 

OT X = (0, a) & y = (0, b) Sz a b 
or X = (1, c) & y = (1, d) L c d. 

• /C((A)x) = {±} U ({0} X /C(A)), with the ordering defined by 

X ^ y = X = -L 

OT X = {0,a) ky = (0, b) k a b. 

• lC{Pi{A)) = {ijc{A)i^) '■ X ^ Pfne(^(^))}, with the subset ordering. 

• IC{Pu{A)) = {tic{A)i^) ■ ^ ^ Pfne(/C(^))}, with the superset ordering. 

• /C(Pp(A)) = {Con/c(A)(X) : X e pfne(/C(A))}, with the Egli-Milner 
ordering (which is a partial order on the convex-closed sets). 

All these definitions are valid for any algebraic cpo. Since uALG is not 
cartesian closed, we must obviously describe the function space construction 
for one of its cartesian closed sub-categories. As the description for SFP is 
rather complicated (see |Gun85j ). we shall give the simpler description for 
SDom. 

Definition 2.2.1 (i) f |Plo81l Chapter 6 p. 1]). Let A, B be algebraic do- 
mains. FoT a e IC{A) , b e }C{B), 

[a,b]:A^B 
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is the one-step function defined by 

{b if a □ d 
± otherwise 

(ii) ( |Plo81t Chapter 6 p. 13]). X C A is consistent: 

/\{X) = 3deA.yxeX.x^d. 

We write x /\y for /\{x, y}. 

Note that Plotkin writes (a =^ b) for [a, 6], and tX for /\{X). 

Proposition 2.2.2 flPloSll Chapter 6 pp. 14-15]). Let A, B be Scott do- 
mains, and {oijig/ C ]C{A), {bi}i^i C }C{B) for some finite set I. 

(i) A{['^i5 6i] : i G /} if and only if 

VJ C /. /\{a, : J G J} ^ [\{b, -.jeJ} 

(ii) l\{[ai,bi] : i E 1} implies that \_\{[ai,bi] : i E 1} exists and is defined by 

([_\{[ai,bi] : z e I})d = \J{bi : Oi \Z d}. 
Now we finally get our description of the function space: 
• For Scott domains A, B: 

/C(A ^ B) = {\_\{[ai, h]:iel}:l finite, 

C /C(A), C /C(5), 

/\{[a,,6,] :2G/}}. 
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2.3 Locales 



Our reference for locale theory and Stone duality will be |Joli82] . Since locale 
theory is not yet a staple of Computer Science, we shall briefly review some 
of the basic ideas. 

Classically, the study of general topology is based on the category Top 
of topological spaces and continuous maps. However, in recent years math- 
ematicicans influenced by categorical and constructive ideas have advocated 
that attention be shifted to the open-set lattices as the primary objects of 
study. Given a space X, we write fl{X) for the lattice of open subsets of X 
ordered by inclusion. Since Q{X) is closed under arbitrary unions and finite 
intersections, it is a complete lattice satisfying the infinite distributive law 



(By the Adjoint Functor Theorem, in any complete lattice this law is equiv- 
alent to the existence of a right adjoint to conjunction, i.e. to the fact that 
implication can be defined in a canonical way.) Such a lattice is a complete 
Heyting algebra, i.e. the Lindenbaum algebra of an intuitionistic theory. The 
continuous functions between topological spaces preserve unions and inter- 
sections, and hence all joins and finite meets of open sets, under inverse 
image; thus we get a functor 

Vt : Top — Loc 

where Loc, the category of locales, is the opposite of Frm, the category of 
frames, which has complete Heyting algebras as objects, and maps preserv- 
ing all joins and finite meets as morphisms. Note that Frm is a concrete 
category of structured sets and structure-preserving maps, and consequently 
convenient to deal with (for example, it is monadic over Set). Thus we study 
Loc via Prm; but it is Loc which is the proposed alternative or replacement 
for Top, and hence the ultimate object of study. 

Notation. Given a morphism f : A ^ B in Loc, we write /* for the 
corresponding morphism B ^ Am Prm. 

Now we can define a functor 

Pt : Loc Top 

as follows (for motivation, see our discussion of Stone's original construction 
in Chapter 1): Pt(yl) is the set of all frame morphisms f : A ^ 2, where 2 is 
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the two-point lattice. Any such / can be identified with the set F — f ^{1), 
which satisfies: 

leF 

a,b e F aAbeF 
aeF,a<b =^ beF 

Y e F =^ 3i e l.Gie F. 



Such a subset is called a completely prime filter. Conversely, any completely 
prime filter F determines a frame homomorphism xf '■ A ^ 2. Thus we can 
identify Pt(A) with the completely prime filters over A. The topology on 
Pt{A) is given by the sets [/„ {a e A): 



Ua = {xe Pt{A) -.aeF}. 
Clearly, 



so this is a topology. Pt is extended to morphisms by: 



Ai^B 
Pt{A) Pt{B) 

Pt{f)x = {b : rb e x}. 

We now define, for each X in Top and A in Loc: 
rix:X^ Pt{n{X)) 

r)x{x) = {U:xeU} 

SA : ^{Pt{A)) A 

e^(a) = {x : a & x}. 

Now we have 
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Theorem 2.3.1 flJoh82{. 11.24]). Pt,r/,e) : Top ^ Loc defines an 
adjunction between Top and Loc; moreover (\Joh82\ II.2.7J), this cuts down 
to an equivalence between the full sub- categories Sob of sober spaces and 
SLoc of spatial locales. 

The equivalence between Sob and SLoc (and therefore the duality or con- 
travariant equivalence between Sob and SFrm) may be taken as the most 
general purely topological version of Stone duality. For our purposes, some 
dualities arising as restrictions of this one are of interest. 

Definition 2.3.2 A space X is coherent if the compact-open subsets of X 
(notation: KQ{X)) form a basis closed under finite intersections, i.e. for 
which KQ{X)) is a distributive sub-lattice of Q{X). 

Theorem 2.3.3 (i) (\Joh82i 11.2.11]). The forgetful functor from Yrm to 
DLat, the category of distributive lattices, has as left adjoint the functor Idl, 
which takes a distributive lattice to its ideal completion, 
(a) ( Uoh82\ II. 3.4]). Given a distributive lattice A, define Spec A as the set 
of prime filters over A (i.e. sets of the form f~^{l) for lattice homomorphisms 
f : A 2), with topology generated by 

Ua = {xe Spec A : a e x} (a G A). 

Then Spec A = Pt(ldl(A)). 

(Hi) (fJoEEE, II. 3. 3]). The duality of Theorem \2.3.1\ cuts down to a duality 

CohSp ~ CohLoc ~ DLat°P 

where CohSp is the category of coherent Tq spaces, and continuous maps 
which preserve compact-open subsets under inverse image; and CohLoc°'' is 
the image o/DLat under the functor Idl. 

The logical significance of the coherent case is that finitary syntax — 
specifically finite disjunctions — suffices. The original Stone duality theorem 
discussed in Chapter 1 is obtained as the further restriction of this duality to 
coherent Hausdorff spaces (which turns out to be another description of the 
Stone spaces) and Boolean algebras, i.e. complemented distributive lattices. 
Note that under the compact Hausdorff condition, all continuous maps satisfy 
the special property in part (iii) of the Theorem. 

As a further special case of Stone duality, we note: 
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Theorem 2.3.4 (i) The forgetful functor from distributive lattices to the 
category MSL of meet-semilattices has a left adjoint L, where \-{A) = {i{X) : 
X e pf{A)}, ordered by inclusion. (Notice that this is the same construction 
as for the lower powerdomain; this fact is significant, but not in the scope of 
this thesis.) 

(a) For any meet-semilattice A, define Filt(y4) as the set of all filters over A, 
with topology defined exactly as for Spec{A). Then 

F\\t{A) = Spec(L(A)) = Pt(ldl(L(A))). 

(Hi) The duality of Theorem \2.3.3\ cuts down to a duality 

CohAlgLat ~ MSL°P 

where CohAlgLat is the full sub-category of CohSp of algebraic lattices 
with the Scott topology (to be defined in the next section). 

An extensive treatment of locale theory and Stone-type dualities can be 
found in |Joh82] . Our purpose in the remainder of this section is to give some 
conceptual perspectives on the theory. 

Firstly, a logical perspective. As already mentioned, locales are the Lin- 
denbaum algebras of intuitionistic theories, more particularly of propositional 
geometric theories, i.e. the logic of finite conjunctions and infinite conjunc- 
tions. The morphisms preserve this geometric structure, but are not required 
to preserve the additional "logical" structure of implication and negation 
(which can be defined in any complete Heyting algebra). Thus from a logical 
point of view, locale theory is propositional geometric logic. Moreover, Stone 
duality also has a logical interpretation. The points of a space correspond 
to models in the logical sense; the theory of a model is the completely prime 
filter of opens it satisfies, where the satisfaction relation is just 

X \= a = X & a 

in terms of spaces, (i.e. with x G X and a G Q{X)), and 

X \= a = a E X 

in terms of locales (i.e. with x G Pt(A) and a G A). Spatiality of a class of 
locales is then a statement of Completeness: every consistent theory has a 
model. 
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Secondly, a computational perspective. If we view the points of a space 
as the denotations of computational processes (programs, systems), then the 
elements of the corresponding locale can be seen as properties of computa- 
tional processes. More than this, these properties can in turn be thought of 
as computationally meaningful; we propose that they be interpreted as ob- 
servable properties. Intuitively, we say that a property is observable if we can 
tell whether or not it holds of a process on the basis of only a finite amount of 
information about that proces^j. Note that this is really semz-observability, 
since if the property is not satisfied, we do not expect that this is finitely 
observable. This intuition of observability motivates the asymmetry between 
conjunction and disjunction in geometric logic and topology. Infinite disjunc- 
tions of observable properties are still observable — to see that \/ Oj holds 
of a process, we need only observe that one of the holds — while infinite 
conjunctions clearly do not preserve finite observability in general. More pre- 
cisely, consider Sierpinski space O. We can regard this space as representing 
the possible outcomes of an experiment to determine whether a property is 
satisfied; the topology is motivated by semi-observability, so an observable 
property on a space X should be a continuous function to O. In fact, we 
have 

n{x) ^ (X ^ o) 

where {X — )■ O) is the continuous function space, ordered pointwise (thinking 
of O as 2). Now for infinite /, J-ary disjunction, viewed as a function 

^ O 

is continuous, while J-ary conjunction is not. Similarly, implication and 
negation, taken as functions 

^: ^ O, ^ : O ^ O 

are not continuous. Thus from this perspective, 

geometric logic = observational logic. 

"'^This is really only one facet of observability. Another is extensionality, i.e. that we 
regard a process as a black box with some specified interface to its environment, and only 
take what is observable via this interface into account in determining the meaning of the 
process. Extensionality in this sense is obviously relative to our choice of interface; it is 
orthogonal to the notion being discussed in the main text. 
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These ideas follow those proposed by Smyth in his pioneering paper 
|Smy83b] , but with some differences. In |Smy83b| , Smyth interprets "open 
set" as semi-decidable property; this represents an ultimate commitment to 
interpret our mathematics in some effective universe. My preference is to 
do Theoretical Computer Science in as ontologically or foundationally neu- 
tral a manner as possible. The distinction between semi-observability and 
semi-decidability is analogous to the distinction between the computational 
motivation for the basic axioms of domain theory in terms of "physical feasi- 
bility" given in |Plo81t Chapter 1], without any appeal to notions of recursion 
theory; and a commitment to only considering computable elements and mor- 
phisms of effectively given domains, as advocated in |Kan79j . It should also 
be said that the link between observables and open sets in domain theory 
was clearly (though briefly!) stated in |Plo81t Chapter 8 p. 16], and used 
there to motivate the definition of the Plotkin powerdomain. 

A final perpective is algebraic. The category Prm is algebraic over Set 
( |Joh82t II. 1.2]); thus working with locales, we can view topology as a species 
of (infinitary) algebra. In particular, constructions of universal objects of var- 
ious kinds by "generators and relations" are possible. Two highly relevant 
examples in the locale theory literature are |Joh85] and |Hyl81| . This pro- 
vides a link with the information systems approach to domain theory as in 
|Sco82t ILW84j . Some of our work in Chapters 3 and 4 can be seen as a 
systematization of these ideas in an explicitly syntactic framework. 

2.4 Domains and Locales 

We now turn to the connections between domains and locales. Firstly, it is 
standard that domains can be viewed topologically. 

Definition 2.4.1 ( |Plo8H Chapter 1 p. 16]). Given a poset P, the Scott 
topology on P has as open sets those U P satisfying 

1. U is upper-closed, i.e. U = tiU). 

2. U is inaccessible by w-chains, i.e. 

I I x„ G f/ =^ 3n. Xn G U. 

We write (y{D) for the Scott topology on a domain D. 
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Proposition 2.4.2 (i) (loc. cit.) Let D, E he cpo's; a function f : D E 
is continuous in the cpo sense iff it is continuous with respect to the Scott 
topology. 

(a) (lPlo81\ Chapter 6 p. 3]). For algebraic domains D, the Scott topology 
has a particularly simple form: namely all sets of the form 

|Jt(&.) (&. G/C(D),?G/) 

i&I 

Moreover, the compact-open sets are just those of this form with I finite. 

Given a space X, we define tlie specialisation order on X by 

X <spec y = \fUe Q{X). X eU y eU. 

Proposition 2.4.3 (lPlo81\ Chapter 1 p. 16]). Let D he a cpo. The spe- 
cialisation order on the space {D,a{D)) coincides with the original ordering 
on D. 

Tlius we may regard domains indifferently as posets or as spaces witli tlie 
Scott topology, justifying some earlier abuses of notation. 
We now relate domains to coherent spaces. 

Theorem 2.4.4 (The 2/3 SFP Theorem) (WloSA Chapter 8 p. 41]). An 
algebraic cpo is coherent as a space iff it is '2/3 SFP" in the terminology of 
(loc. cit.). Since coherent spaces are sober (\Joh8^ U.S. 4), any such domain 
D satisfies 

D = Spec{Kn{D)). 

We shall refer to such domains as coherent algebraic. Thus SDom and SFP 
are categories of coherent spaces, and we need only consider the lattices of 
compact-open sets on the logical side of the duality. 

We conclude with some observations which show how the finite elements 
in a coherent algebraic domain play an ambiguous role as both points and 
properties. Firstly, we have 

D = \d\{}C{D)) 

so the finite elements determine the structure of D on the spatial side. We 
can also recover the finite elements in purely lattice-theoretic terms from 
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A = KQ{D). Say that a & A is consistent if a 7^ 0, and prime if a < 6 V c 
implies a < b or a < c. (We should probably say coprime rather than prime, 
but as we will have no need for the dual concept, we will use the shorter 
term.) Writing cpr{A) for the set of consistent primes of A, we have 

IC{D) = (cj9r(A))°P, A - L((/C(D))°P). (2.1) 

(The fact that the latter construction produces a distributive lattice even 
though )C{D) is not a meet-semilattice follows from the MUB axioms char- 
acterizing the coherent algebraic domains |Plo8H Chapter 8 p. 41].) 

Theorem 2.4.5 Let A be a distributive lattice. Spec(y4) is coherent algebraic 
iff the following conditions are satisfied: 

(1) 1a e cpr{A) 

(2) Va G A. 36i, . . . , 6„ e cpr{A). a = Vr=i h- 

Of these, (1) ensures the existence of a bottom point, and (2) says "there are 
enough primes" . This result will be proved as part of our work in the next 
Chapter. 
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Chapter 3 

Domains and Theories 



3.1 Introduction 

In this Chapter, we lay some of the foundations for the domain logic to 
be presented in Chapter 4. In section 2, a category of domain prelocales 
(coherent propositional theories) and approximable mappings is defined, and 
proved equivalent to SDom. This is the category in which, implicitly, all 
the work of Chapter 4 is set. In section 3, following the ideas of a number of 
authors, particularly Larsen and Winskel in |LW84] . a large cpo of domain 
prelocales is defined, and used to reduce the solution of domain equations 
to taking least fixpoints of continuous functions over this cpo. In section 
4, a number of type constructions are defined as operations over domain 
prelocales. We prove in detail that these operations are naturally isomorphic 
to the corresponding constructions on domains. In section 5 a semantics 
for a language of recursive type expressions is given, in which each type is 
interpreted as a logical theory. This is related to a standard semantics in 
which types denote domains by showing that for each type its interpretation 
in the logical semantics is the Stone dual of its denotation in the standard 
semantics. 

Important Notational Convention. Throughout this Chapter and 
the next, we shall use J, J, K, L to range over finite index sets. 
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3.2 A Category of Pre-Locales 

Definition 3.2.1 A coherent prelocale is a structure 

A = {\A\, <A, Oa, Va, 1a, Aa) 
where 

• I /I I is a set, tlie carrier 

• <A, —A are binary relations over \A\ 

• Oa, 1a are constants, i.e. elements of \A\ 

• \/a, Aa are binary operations over \A\ 
subject to the following axioms (subscripts omitted): 

(I < b b < (I (I = b 

a — b a < b b < a 

a<aVb b<aVb 

a Ab < a a Ab <b 

(p4) a A {by c) < {a Ab) y {a A c) 

Evidently, the quotient structure 

A={\A\I=a,</=a) 
is a distributive lattice. 

Definition 3.2.2 Given a prelocale A, we define 

{i) pr{A) = {ae\A\:\/b,ce\A\.a<by a<boY a<c} 

(a) con{A) = {ae \A\ : -i(a =a 0)} 

(Hi) cpr{A) = con{A) n pr{A) 

(iv) t{A) = {a e \A\ : -^{a =a 1)} 



(pi) a < a 
(p2) < a 
(p3) a < 1 



a <b b< c 
a < c 

a < c b < c 
a V 6 < c 

a < b a < c 
a < b Ac 
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Definition 3.2.3 A domain prelocale is a coherent prelocale A which satis- 
fies the following additional axioms: 

n 

(dl) Va e \A\. 3bi, . . . 6„ G pr{A). a=A\/ h 

1=1 

{d2) lAecpr{A) 

{d3) a,b e pr{A) ^ a Ab e pr{A) 

We now introduce a notion of morphism for domain prelocales, based on 
Scott's approximable mappings [ScoSll [Sco82] . 

Definition 3.2.4 Let A, B, be domain prelocales. An approximable map- 
ping R : A ^ B is a. relation i? C \A\ x \B\ satisfying 

(rl) aRl 

(r2) aRbkaRc ^ aR{bAc) 

(r3) ORb 

(r4) aRckbRc {a\/b)Rc 

(r5) a < a'Rb' < c ^ aRb 

(r6) aRO ^ a =a 

(r7) a G pr{A) & aR{b V c) ^ ai?6 or aRc. 

Approximable mappimgs are closed under relational composition. We 
verify the least trivial closure condition, (r7). Suppose R : A ^ B, S : B ^ 
C,aEpr{A) and a(i?oS')6Vc. For some d E \B\, aRd and dSb\/ c. By (dl), 

d=B\j di {di epr{B),i G /). 

li I = 0, d =B Ob, hence by (r3) dRb, and so a{R o S)b. Otherwise, by (r7), 
aRdi for some i E I. Now 

cii < \/diS{byc) 
iei 
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diS{bVc) (r5) 
=^ diSb or diSc (r7) 
^ a{RoS)boTa{RoS)c 
as required. Identities with respect to this composition are given by 
a idA b = a <a b. 

Hence we can define a category DPL of domain prelocales and approximable 
mappings. 

Definition 3.2.5 A pre-isomorphism 9? : yl ~ i? of domain prelocales is a 
surjective function 

^■.\A\^ \B\ 
satisfying 

Va, 6 e 1^41. a <a b <^=^ 93(a) <b ^ib). 
Proposition 3.2.6 If ip : A B is a preisomorphism, the relation 

aR^b = ip(a) <b b 
is an isomorphism in DPL. I 
Theorem 3.2.7 DPL is equivalent to SDom. 
Proof. Wc define functors 

F : SDom ^ DPL 

G : DPL ^ SDom 

as follows: 

F{D)^{Kn{D),C,^,0,U,D,n) 
i.e. the distributive lattice of compact-open subsets of D; 

F{f) = Rf, 
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where 

aRfb = aC f-\b). 
The verification that F is well-defined is routine. Note that: 

• pr{F{D)) = {> : e K{D)} U {0} 

• a e con{F{D)) ^ 

• '\ur\1;v e con{F{D)) ^ u v 

To verify (r7) for Rf, note that, for u e K{D): 

<^ f{u) ebUc 

<^ f{u) eboT f{u) e c 

^ tuCr\b)ortuCf-\c). 

G{A) = A, 

where A is the set of prime proper filters of A, i.e. sets x C |^| — {0^} closed 
under finite conjunction and entailment and satisfying 

aV b & X =^ a & X OT b & X. 

A is a partial order under set inclusion; or, equivalently, (via the specialisation 
order) a topological space with basic opens 

Ua = {x e A : a e x} {a e \A\). 

Note that, with either structure, 

A ^ Speci. 

G(R) = fn, 

where 

fnix) — {b \ 3a & X. aRb}. 
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We check that G is weU defined. By (d2), the filter generated by 1 is prime, 
hence a least element for A; while it is easy to see that A is closed under 
unions of directed families. Thus A is a cpo. Moreover, the principal filters 
t(a) with a G cpr{A) are prime, and (using {dl)) form a basis of finite 
elements. Finally, by (rf3) this basis is closed under consistent finite joins. 
Thus A is a Scott domain. 

Now we check that f^i is well defined and continuous. Given x E A, 
it is easy to see that fR{x) is a filter. To check that it is prime, suppose 
by c E fR{x). Then for some a G x, we must have aR{b V c). By (dl), 

a =A V Oi, {di e cpr{A),i G I). 

Since x is a proper filter, a ^ 0, hence 1^0. Then since x is prime, for 
some i E I ai E X. Now by (r7), 

aiR{b V c) =^ QiRb or a^i^c 

and so 6 G fnix) or c G /r(x). Since directed joins in A are just unions, 
continuity of J'r is trivial. 

The remainder of the verification that G is a functor is routine. 

We now define natural transformations 

V : /sDom GF 
e : 7dpl ^ FG 

r]D{d) = {U E KVt{D) -dEU) 
eA — R^A, 

where cpA : A ~ KQ{A) is the pre-isomorphism defined by 

ipA{a) = {x E A : a E x}. 

Note that 7], (p are the natural isomorphisms in the Stone duality for dis- 
tributive lattices. This shows that the components of r^, e are isomorphisms, 
while naturality is easily checked to extend to our setting. 
Altogether, we have shown that 

(F, G, 77, e) : SDom ~ DPL 

is an equivalence of categories. I 
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3.3 A Cpo of Pre-locales 



In this section, we follow the ideas of Larsen and Winskel |LW84] , and define 
a (large) cpo of domain pre-locales, in such a way that type constructions 
can be represented as continuous functions over this cpo, and the process 
of solving recursive domain equations reduced to taking least fixed points of 
such functions. 

Definition 3.3.1 Let A, B be domain prelocales. Then we define A d -B iff 

• (|v4|, Oa, Va, Ia, Aa) is a subalgebra of 0^, Vb, 1b, /\b) 

• <A C <B 

Although this inclusion relation is simple, it is too weak, and has only been 
introduced for organisational purposes. What we need is 

Definition 3.3.2 A < B \E 

(si) A(^B 

(s2) ^a,h e\A\.a <Bh ^ a <Ah 

(s3) pr{A) C pr{B) 

Note that apart from (s3) this is just the usual notion of submodel (cf. e.g. 
[CK73]). 

Proposition 3.3.3 The class of domain prelocales under < is an u-chain 
complete partial order. 

Proof. The verification that < is a partial order is routine. Let {An} be a 
<-chain. Set 

A^ = {\jAn,[j <A„,...etc.). 

We check that A^ is a well-defined domain prelocale, for in that case it is 
clearly the least upper bound of the chain. We verify {dl) for illustration. 
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Given a G |Aoo|, for some n, a G |y4„|, hence 
0'=Ar,\J a.h {ai E pr{An),i e I). 

Clearly a =a^ VtG/'^«! furthermore, pr(y4„) C 'pr^A^^. To see this, suppose 
h G pr(y4„) and h <Aoo cM d. For some m > n, {a,b,c} C l^^l, and so 
& <A,„ c V d. Since v4„ < A^, pr{An) C pr(A^), and so b <a^ c or 6 ci, 
which implies h <a^ c or 6 <a^ d, as required. I 

The class of domain prelocales is not a cpo under <; it does not have a 
least element. However, we can easily remedy this deficiency. 

Definition 3.3.4 1 is the domain prelocale defined as follows. The carrier 
|1| is defined inductively by 

• tje\l\ 

• a,b e \1\ =^ a A b, a y b e \1\ 

The operations are defined "freely" in the obvious way: 

Oi = /, li = t, a\/ib = a\/ b, a A^b = a Ab 

Finally, <i, =i are defined inductively as the least relations satisfying {pl)- 
(p4). It is easy to see that 1 is the two-point lattice; hence 1 is a domain 
prelocale. 

Now let DPLl be the class of domain prelocales A such that 1 < A. Clearly 
DPLl is still chain-complete. Thus we have 

Proposition 3.3.5 DPLl is a large cpo with least element 1. I 

DPLl also determines a full subcategory of DPL. To see that we are not 
losing anything in passing from DPL to DPLl, we note 

Proposition 3.3.6 DPLl is equivalent to DPL. I 

We now relate this partial order of prelocales to the category of domains 
and embeddings used in the standard category-theoretic treatment of the 
solution of domain equations |SP82j . Recall that an embedding-projection 
pair between domains D, E is a pair of continuous functions e : D ^ E, 
p : E ^ D satisfying 

p o e = \dD 
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e o p □ idg. 

Each of these functions uniquely determines the other, since e is left adjoint 
to p. We write for the projection determined by e. 

Proposition 3.3.7 If A < B, then e : A ^ B is an embedding, where 
e : X ^-7■ '\b{.x)- 



(A, B are defined as in the proof of Theorem \3.2. 7\ ). 
Proof. We define p : B Ahy 

piy) = y n \A\. 

Since A is a sublattice of B, p is well defined and continuous (it is the 
surjection corresponding under Stone duality to the inclusion of A'm. B). We 
check that e is well defined, specifically that e{x) is prime, x E A. Suppose 
bV c & e{x). Then for some a G x, a <b bV c. By (rfl), 

a=A\J ah {tti e pr{A),i e I). 

i€l 

Since x is a prime proper filter, G x for some i & I. Since A < B, 

tti G pr{B), and so 

<B CL <B by c =^ ai <B b or a.j <b c 
=^ 6 G e(x) or c G e(x). 

Moreover, 

p o e(x) = tsi^) n |A| = X 

eop{y)=tBiy^\A\)^tBiy) = y. 

Finally, e preserves all joins since it is a left adjoint; in particular, it is 
continuous. I 

Now given a (unary) type construction T, we will seek to represent it as 
a function 

/t : DPLl ^ DPLl 
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which is <-monotonic and chain continuous. We can then construct the 
initial solution of the domain equation 

D = T{D) 

as the least fixpoint of the function fx-, given in the usual way as 
U/tHi). 

More generally, we can consider systems of domain equations by using 
powers of DPLl; while T can be built up by composition from various 
primitive operations. As long as each basic type construction is <-monotonic 
and continuous, this approach will work. 

The task of verifying continuity is eased by the following observation, 
adapted from |LW84j . 

Proposition 3.3.8 Suppose f : DPLl — )■ DPLl is <-monotonic and con- 
tinuous on carriers, i.e. given a chain {An}n<^uj, 

then f is continuous. 

Proof. Firstly, note that A < B and \A\ = \B\ implies A = B. Now given 
a chain let 

B^\Jf{A^), 

n 

C^f{\jA^). 

n 

By monotonicity of f, B < C, while by continuity on carriers, \B\ = \C\. 
Hence B = C, and / is continuous. I 
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3.4 Constructions 



In this section, we fill in the programme outlined in the previous section 
by defining a number of type constructions as <-monotonic and continuous 
functions over DPLl. These definitions will follow a common pattern. We 
take a binary type construction T{A, B) for illustration. Specific to each 
such construction will be a set of generators G{T{A, B)). Then the carrier 
\T{A,B)\ is defined inductively by 

. G{T{A,B))C\T{A,B)\ 
. tJe\TiA,B)\ 

a,be \T{A,B)\ 
aAb,aVbe\T{A,B)\ 

The operations 0, 1, A, V are then defined "freely" in the obvious way, i.e. 

Ot(a,b) = f, a yT{A,B) b = a\/ b, 1t(a,b) = t, a /\t{a,b) b = aAb. 

Finally, the relations <t{a.b), =t{a,b) are defined inductively as the least 
satisfying (pl)-(p4) plus specific axioms on the generators. (Note that our 
definition of 1 in the previous section is the special case of this scheme where 
the set of generators is empty.) 

As an essential part of the machinery for defining the type constructions, 
we shall introduce a number of mcta-prcdicatcs over the carriers \T{A, B) \ of 
the constructed prelocales. These will be used as side-conditions on a number 
of axiom-schemes and rules. They will serve as "syntactic" analogues of the 
"semantic" predicates con, pr, t introduced previously. The same predicates 
will be defined for each contruction: 

• PNF, prime normal form. 

• CON, T, defined over elements of the form ai, with each in PNF. 
CON is consistency (i.e. CON (a) means a 7^ 0), and T is termination 
(i.e. T(a) means a ^ 1). 

• CPNF, consistent prime normal forms, where CPNF(a) implies PNF(a) 
and CON (a). 

Given these definitions, three further predicates are defined as follows: 
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• CDNF, consistent disjunctive normal form: 

CDNF(a) = a = \/ai&Vi e /.CPNF(aO 

is/ 

• ai = a^\l aik^i e I. PNF(ai) & J{ai) 

• #(a) = a = \/ai&Vie/. PNF(ai)&-CON(ai). 

is/ 

It will follow from our general scheme of definition and the way that the 
generators are defined that the following points are immediate, for A, A', B, B' 
in DPLl with A < A' and 5 < B': 

• T{A, B) satisfies (pl)-(p4) 

• 1 < T{A,B) 

• T{A,B) (E T{A',B') 

• T is continuous on carriers. 

We are left to focus our attention on proving that: 

• T{A,B) satisfies {dl)-{d3) 

• conditions (s2) and (s3) for T{A, B) < T{A!, B') are satisfied. 

Our method of establishing this for each T is uniform, and goes via an- 
other essential verification, namely that T does indeed correspond to the 
intended construction over domains. We define a semantic function 

\:\TiA,B):\nA,B)\^KQ{FT{A,B)) 

where Ft is the functor over SDom corresponding to T, and show that 
[■]r(yi,s) is a (pre)isomorphism; and moreover natural with respect to embed- 
dings induced by <. This allows us to read off the required "proof-theoretic" 
facts about T from the known "model-theoretic" ones about Ft- Moreover, 
we can derive "soundness and completeness" theorems as byproducts. 

For each type construction T, we prove the following sequence of results: 
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Tl: Adequacy of Metapredicates. For each a e PH?{T{A,B)): 

(0 la]TiA,B)epr{Kn{FT{A,B))) 
{ii) CON(a) ^ Ht(a,b) ^ 
{in) T(a) <^ -^Fr{A,B) ^ Mt{a,b)- 
T2: Normal Forms. 

Va e |r(A5)|.36e CDNF(r(A5)).a=T(A,B) 
T3: Soundness. For all a,b e \T{A, B)\: 

a <T(A,B) b ^ lajT(A,B) ^ lb]T(A,B)- 

T4: Prime Completeness. For all a,b e CPUF{T{A, B)): 

la]T(A,B) Q lb]T(A,B) =^ a <T{A,B) b. 

T5: Definability. 

v« e /r(FT(i, ^)). 3a e CPNF(r(^, 5)). Wtcab) = t(«)- 

T6: Naturality. Gwen A<A',B<B' in DPLl, Ze^ ei : i A', e-i : 

B ^ B' be the corresponding embeddings. Given an embedding e : D ^ E, 
let et : KQ{D) KQ{E) be defined by 

which is well defined since embeddings map finite elements to finite elements. 
Let 

r]T(A,B) ■■ C Ft{A, B) 
be the adjoint of \-\t{a,b), where C — T{A, B). Then: 

{A) {FT{ei,e2)Y o\.\t^a,b) = lh{A',B') 

{B) FT{ei,e2) or]T{A,B) = ?7t(A',b') ° 4'T(A',b')(') 

(These equations make sense since T{A,B) T{A',B') by assumption.) 

All the desired properties of our constructions can easily be derived from 
these results. 
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T7: Completeness. For a,b e \T{A, B)\: 

Mt{A,B) C lb}T(A,B) =^ a <T(A,B) b. 

Proof. By (T2), 

a =T{A,B) \/ di, b =T{A,B) \/ bj, 

with ai,bj e CPNF(T(A,5)) {i el,3 e J). By (T3), 

Mt{A,B) = [V ai]TiA,B), lb]T{A,B) = l\/ &ilr(A,s). 

By (Tl), 

iii,^;,eX(FT(i,S)) (ielJeJ). 

Now, 

WT(A,i?) C |6]T(A,i?) 

=^ yiel.3j eJ4{ui)c^{vj) 

^ Vi e /. 3j e J. a, <T(A,B) bj by (T4) 
ViG7 «i <T(A,B) Vie J by (p2) 

=^ a <T(A,B) b by (pi). I 

(T8): Stone Duality. T{A,B) is the Stone dual of Ft{A,B), i.e. 

it) Ft{A,B) ^ C iC = T{A,B)) 

(ii) {■} : \T{A, B)\ Kfl{FT{A, B)) is a pre-isomorphism. 

Proof, (i) and {ii) are equivalent since Scott domains are coherent, {ii) is 
an immediate consequence of (T3), (T5) and (T7). I 

(T9). T is a well defined, <-monotonic and continuous operation on 
DPLl. 

Proof. T(A,B) is a domain prelocale by (T8), since KQ,{Ft{A, B)) is. Given 
A<A',B< B', T{A, B) < T{A', B') follows from (T6)(A) and the following 
general properties of for embeddings e : D ^ E: 
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1. is an order-mono, i.e. for U,V & KQ{D): 

UCV ^ e\U) C e\V) 

2. preserves primes. 

To prove (1), we take U = '\X, V = 'fY, and calculate: 

|X C IF ^ X 

<^==^ e{X) e{Y) e is an order-mono 

^ te(X)Cte(F) 

^ e^(f/) C e^{V). 

For (2), we recall that U G pr{KQ{D)) implies U = oi U = '\{u) for some 
u e But et(0) = 0, e^(t(u)) = t(eH). 

By the remarks at the beginning of the section, the proof is now complete. 

I 

Notation. Given a domain prelocale A, we write 

{■Ja : \A\ ^ Kn{A) 

for the pre-isomorphism (pA defined in the proof of Theorem 13.2.71 

We note a further trivial but useful fact about direct images of embeddings 
for future use. 

Proposition 3.4.1 If A < B, and e : A ^ B is the induced embedding, 
then 

et o |.]^ = l-l^. I 

Definition 3.4.2 The function space construction A B. 
(i) The generators: 

G{A ^ B) = {{a^b):ae \A\,b E \B\}. 

This fixes |y4 — )■ i?| according to the general scheme described above. 
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(ii) The metapredicates: 

PNF(A^5) = {l\{ai^hi):aiepr{A)M^pr{B),ieI} 

CON(/\(a, ^6,)) = VJC7. 

/\ Qj e con{A) /\ bj e con{B) 
jeJ jeJ 

T{/\{ai bi)) = 3i e I.Qi e con{A)kbi e t{B) 
CPNF(/\(a, ^ 6,)) = CON(/\(a, ^ 6,)) 



16/ 



k^i e I.Ui e con{A) khe con{B) 



The predicates CDNF, #(.), _i are then defined according to our general 
scheme. 

(iii) The relations <a^b, —a-^b are then defined inductively by the following 
axioms and rules in addition to (pl)-(p4) (subscripts omitted). 



(^-<) 



a' <a, b<b' 



{a^b)< {a' b') 
(^-A) {a ^ /\bi) = /\{a ^ k) 



(^-V-L) (Ya,^6)=/\(a,^6) 

- V -R) {a^y bi) = V(a ^ bi) {a e cpr{A)) 
iei iei 

(#) a<0 (#(a)) 
(iv) The semantic function 

l-U^B:\A^B\^Kn{[A^B]) 
is defined by 

[(a ^ = (Ha, Mb) 
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where for spaces X, Y and subsets U e KQ{X), V e KQ{Y), 

{U,V) = {f -.X \f continuous, f{U) C V} 
is a sub-basic open set in the compact-open topology. The further clauses 

lf\a^j = f]lail 

i€l i€l 

will apply to all type constructions. 

We will now estabhsh that the function space construction satisfies (Tl)- 
(T6) in a sequence of propositions. 

Proposition 3.4.3 (Tl) For all a e PNF(A ^ B): 

(i) [aU^BepriKnilA^B])) 
(tt) CON(a) ^ lalA^B^0 
{Hi) T(a) _L ^ {oIa^b- 

Proof, (i) Let a e pr{A), b e pr{B). If a ^ con(A), 

[(a ^ h)\A^B = [A^B] = 
while if a e con{A), b con{B), 

[{a b)jA^B = 0. 

Otherwise, a G con{A) and b e con{B). Let m = ^{a), v = t{b). Then 
u e -ft'(A), V e -ft'(-B), and so 

[(a^6)U^B = (Ha, Mb) 
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where [u^v] is the step function in [A — t- B]. Similarly, for a, G cpr{A), 
hi G cpr{B): 

l/\{ai ^ bi)lA^B = f]t[ui,Vi] 

f UU^eIK if Mlui, Vi\:te 1} 
I otherwise. 

(ii) Let a = /\i^j{ai — )■ We use the notation of (i). Suppose CON(a). 
Then for i G /, 

hi^con{B) =^ ai^con{A) =^ {{a, ^ bi)}A^B = ^KnuA^B])^ 
and so 

Ma^b = bj) : ttj G cpr{A), bj G cpr{B)}jA^B 

= t(|J{K'^i] • ^ cpr{A),bj G cpr{B)}), 

which is well-defined by l2.2.2[ For the converse, suppose -iCON(a). Then for 
some J I, I\j(zj0.j G con{A) and /\j^jbj ^ con{B). But then we have 

Ma^b C |(/\ a,- ^ /\ b,)jA^B = 0- 

(iii) With notation as in (ii), 

± ^ [oIa-^B 3iel.±^ litti k)}A^B- 

Now if Oj ^ con{A), 

-L e li^n([A^B]) = K*^* bi)jA-^B; 
while if G cor;,(74), 6j con{B), then 

± ^ = |(ai ^ 

Finally, if Oj G con(A) and 6j G con{B), then [(oj — )■ fei)]^^^ = t['"j;'f^i]; and 
^ ^ l{ai ^ ^ i;, ^ ± ^ 6i G 

Thus ± ^ {{tti bi)jA^B G con(A) & k G I 
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As corollaries we have: 

(iv) CPNF(A,e,(a. ^ 6.)) =^ [A^g/(«^ ^ ^OU^b = t(Ue/K ^i]), 
where t^j = [ailA,t^^i = lbi]B,i e /. 

(v) #(a) ^ |alA->B = 0. 

(vi) ai <(=^ ± [alA->s- 

Proposition 3.4.4 (T2) Va e |A ^ B|. 36 e CDNF(A ^ 5). a b. 
Proof. Using the distributive lattice laws, a can be put in the form 

By {dl), each is equal to 

Y Cfe, (cfe e pr{A), k e Xjj), 

and each bij is equal to 

y dl, {diepr{B),le Lij). 

Moreover, we may assume that Ck G con{A) for all k e Kij, since otherwise 

\J Ck=A \l Ck', 
k€Kij k'^Kij-{k} 

and so any inconsistent disjuncts can be deleted; and similarly for the di. 
Now 

{\/ \/ dl) =A^B f\{ck^ \l dl) by - V -L) 

=A^B l\ \l {ck^ dl) by - V -R). 

Using the distributive lattice laws again, we obtain the required normal form. 
I 
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Proposition 3.4.5 (T3) Va, 6 G \A B\.a <a^b Ma^b ^ Ma^b- 

Proof. |]a-s>b preserves meets and joins by definition, and (pl)-(p4) are 
valid in any distributive lattice. Moreover, given any spaces X, Y and subsets 
U CX,V CY, 

U' CU,VCV' ^ {U, V) C {U', V) 
{U,f]V^ = f]iU,V^ 

{[jU.,V) = []{U,,V) 

iel i<=I 

are simple set-theoretic calculations. The soundness of (—)■-#) follows from 
Corollary (v) to Prop osit ion 13 . 4 . 31 Finally, suppose a G cpr{A). Then |a]^ = 
with u G K{A), and 

l{a^\Jk)U^B = (U^UMb) 
iei iei 

= {f : f{u) e (Jl^ils} by monotonicity 

= [jif--fiu)eMB} 
= [jituAhjB) 

iei 

= l\/ia^k)]A^B 
and so (— t- — V —R) is sound. I 

Proposition 3.4.6 (T4) For /\i^jiai h), Aiej(^i ^ ^i) CPNF(A 
B): 

lf\{a, ^ h)\A^B C l/\(a, ^ hj)\A^B 
iei jeJ 

implies 

f\{ai -> bi) <A^B /\iaj -> bj). 
iei jeJ 
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Proof. By Corollary (iv) to Proposition I3.4.3[ 
[/\{ai bi)jA^B = t\jKvi], 

i€l iel 
l/\{aj ^ bj)jA^B = t[_\[Uj,Vj], 

where 

= {ttijA, ■ ■ ■ etc. 

Now, 

l/\{ai ^ bi)]A^B C l/\{aj ^ b,)}A^B 

^ \_\[Uj,Vj]^\_\[Ui,Vi\ 

jeJ iei 

Vj e J. Vj □ \_\{vi : Ui □ Uj} 

Vj G J. : ttj <A ai} <B bj (*). 

Thus, for all j G J: 

f\i<zi{ai bi) <A-^B f\{{a-i : o-j <A o-i] by (p3) 

<A^B h) ■ aj <A CLi} by - <) 

=A-,B {a-j /\{bi : aj <a ai}) by -A) 

<A^B ^ &j) by (*) 

and so by (p2) 

/\{ai bi) <A^B /\iaj bj). I 

Proposition 3.4.7 (T5) WU G ^ B]). 3a e \A ^ B\. |a]A^B 
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Proof. Directly from Propositions 12.4.21 and 13.4. 31 I 

Proposition 3.4.8 (T6) Given A < A' , B < B' , let ci : A ^ A' , 62 : B ^ 

13' he the corresponding embeddings. Then 

(A) (ei ^ o |.]^^^ = |.]^,^^, 

(B) (ei 62) o r]A^B = Va'^b' o !(■)• 
Proof. Firstly, we recall the definition of ei — )■ 62'- 

(ei ^e2)(/) = e2o/oef, 

where ef is the right adjoint of ei, i.e. the corresponding projection. Now 
in fact we can eliminate the use of the projection in describing (ei — )■ 62) ^ 
since we have 

(ei e2)(|J[Mi,^;i]) = LJ[ei(Mi), 62(^^4)]. 
Indeed, 

(ei ^ e2)(Uie/K'^i])(^) 
= 62 o o ef (d) 

= e2(Ug/{^* : «^ ^ ef (rf)}) 
= e2(Llie/{^* • ei(Mi) ^ 4) 
= UiG/{e2(fi) : ei(Mi) □ 4 

(e2 preserves joins since it is a left adjoint) 
= (L\iei[(^iiui),e2{vi)]){d). 
Now for (A), given 

y /\{a,,^k,)eCDNF{A^B), 

iei jeJi 

we calculate 

(ei ^ e2)^[a]^^B = 00 (^iK'U, e^I&^Js) 
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Similarly for (B) we have: 



(ei 62) o i]a^b{x) 
= Ll{[^, v] ■■ 3(a ^b)ex.tu^ Ma & = Mb} 

= ?7A'^i3'(i(a;)). I 

To illustrate the uniformity in our treatment of all the type constructions, 
we shall deal with two more: the upper or Smyth powerdomain, and the 
coalesced sum. 

Definition 3.4.9 The upper powerdomain Pu{A). 

(i) The generators: 

G(Pu(A)) = {Da\a e \A\ 

(ii) Metapredicates: 

PNF(P„(^)) = {o\Jar.aiepr{A),teI} 



COU{t) 

CON(/\n V^) 

iei jeJi 

T( A ° V «^^) 

CPNF(n\/a,) 



iei 



iei iei 

3ie l.yj e Ji.Qij e t{A) 

CON{n\/ tti) k I 

iei 



& I.tti & con{A) 
(iii) Axioms in addition to (pi) - (p4): 

a <h 
(□_ <) = 

(□-A) ul\ai = /\Uai 

iei iei 

(□ - 0) DO = 
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(iv) The semantic function: 

l-jp^^A) : \Pu{A)\ ^ Kn{P^{A)) 

[□«1p.(A) ^{Se P„(i) : S C laU} 

(The further clauses are the standard ones described in the definition of 
function space.) 

Proposition 3.4.10 (Tl) For all a,{ai}iei G PNF(P„(^)); 

(0 laUiA) e priKniP^iA))) 

Proof, (i). Let □ Vie/«' ^ PNF(P„(/1)). Then either Vie/«i ^ con(A), 
and 

1° V «^^"(^) = ^ pr(i^O(P„(A))); 
or for some X Cf /C(^), X ^ and 

In the latter case, 

pyaijp^iA) = {S e Pu{A) : S C ly a^jA} 

= {5 e P„(i) : ti^ 5} 
= tp4A)(lV«^U)- 

(ii) Firstly, 

lA ° V = 1° V A 



53 



by (□ — a) (see the proof of (T3)) and distributivity. Now by (i), 

<^ 3/ e Ji. /\aij(i) e con{A). 

(iii) This follows from the fact that 

^ ^ P<4pu(a) ^ ± ^ Ma. I 
Proposition 3.4.11 (T2) Va e |P„(^)|.36 e CDNF(P„(A)). a =p„(a) 6. 
Proof. We can use the distributive lattice laws to put a in the form 

V A 

By {dl), each a^j can be written as 

V 

where each G cpr(A). We can now use (□ — A) and the distributive laws 
to obtain an expression of the form 

V ° V <='. 

i'€l' l&Li, 

where each q G cpr{A). Moreover disjuncts with Lj' = can be deleted 
using (□ — 0). This yields the required normal form. I 

Proposition 3.4.12 (T3) For all a,b e \Pu{A)\: 
a <Pu{A) h ^ Hp„(A) Q Mpu{A)- 
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Proof. Given U e KQ{A)), define 
DU = {S e Pu{A) -.SCU}. 

Then 

U cv ^ □[/ c nv, 

i€l i&I 

are simple set calculations, which validate (□— <) and (□ — A). (□ — 0) 
is valid because the empty set is excluded from P„(A). (In fact, dropping 
(□ — 0) exactly corresponds to retaining the empty set). I 

Proposition 3.4.13 (T4) For all Da, Uh G CPNF(P„(A)).- 

Proof. Using the description of |na]p^(A), |n6]p^(A) from the proof of 
Proposition 13.4. 10( i) , 

[□a]p„(A) C In6]p4A) 

=^ a <A b 

Oa <p^^A) Ob (□- <). I 

Proposition 3.4.14 (T6(A)) Let A < B, with e : A ^ B the correspond- 
ing projection. Then 

(^.(e))^o[.]p„(^) = |.]p^(P). 
Proof. From the proof of Proposition 13.4.101 (1). for a G con{A): 

while for a G con{A) we have, directly from the definitions, 

(**) P„(e)(IaU) = et(|aU). 
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Now given a e \Pu{A)\, bv 13.4.111 

« =Pu{A) V Otti, {tti G con{A),i e /), 

and we can calculate: 

= Ue/^«(e)^(tp4A)WA) (*) 

= Ue/tp4B)(i'«(e)W^) 

= Ug/tp„(ij)(e^WA) (**) 

= Ue/[°a^lp.{B) (*) 

= 14 PuiB)- ■ 

Definition 3.4.15 The coalesced sum. 

(i) The generators: 

G{A ®B) = {(a © /) : a e \A\} U {(/ © 6) : 6 G 

(ii) Metapredicates: 

PNF(A © 5) = {(a © /) : a e pr(A)} U {(/ © 6) : 6 G pr(5)} U {t} 

CON(t) 

C0N(/\(a,©/)A/\(/©6,)) = -^{/\a,et{A)k /\b,etiB)) 

& y\ Oj G con{A) 
k /\bj e con{B) 

© /) A /\(/ © bj)) = 3iel.a,e t{A) or 3j G J. 6^ G t{B) 
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CPNF(a) = CON(a) 

(iii) Axioms: 

( ^\ a <b a < b 



(©-A) /\{ai®f) = {/\ai®f) /\(/©aO = (/©A«0 
iei iei iei iei 

(®-V) \/{a,®f) = {\/a,(Bf) \/{f®ai) = {f®\/a,) 
iei iei iei iei 

(e-#) a<f (#(a)) 
(iv) Semantic function: 

[(a©/)UeB = {<0,d>:de|aU,d^±} 
Li{xeA®B:±e {oIa} 

[(/®&)lAeB = {<l,d>:cie[6lB,d^±} 

u{xeA®B:±e 

Proposition 3.4.16 (Tl) For all c, {ciji^i e PNF{A © B): 

(i) lc]As^Bepr{Kn{A®B)) 
(ii) CON(Aie,Q) ^ [Aie/QlA®B7^0 

Proof, (i) If c = (a © /), a e pr{A), we can distinguish three cases: 

(1) : a ^ con{A). In this case, 

[c1a®b = 0- 

(2) : {a} A = iKn(A) = t(^)- In this case, 

lc]AeB^U^)^pr{Kn{A®B)). 
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(3): a e con{A), ± ^ {a] a- In this case, for some u e K{A), u ^ 
[a] A = ^u. Then 

|c]a©b = {<^,d>:uQd} 

= W(<o,^/>). 

The case for c = (/ © 6) is similar, 
(ii), (iii). Straightforward. I 

Proposition 3.4.17 (T2) Va e |>1 S|. 36 e CDNF(A © S). a =a©b 
Proof. We can use the distributive lattice laws to put a in the form 

iei jeJi keKi 

Moreover, wc can write each as Vieiy as VmeM-fc with q G 

cpr(74), e cpr{B). Using (© — V), we obtain 

\/i/\{a^,®f)A A 
«e-f' jeJi' keKi' 

with Ojj G cpr{A), bik G cpr{B). Now using (© — A), we obtain 

V(( A «^^ ®/)/^(/® A ^^'^))- 

For each i e /', if both 

A ^ ^(^) 

and 

A e ^(5), 

we may delete the i'th disjunct by (© — #). If either 

A dij ^ con{A) 
jeJi' 
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or 



/\ hik ^ con{B), 

keKi' 

we can delete the i'th disjunct by (© — V). Otherwise, either 
/\ —A 1a 

or 

/\ bik —B Is, 

keKi' 

and we can delete one of these conjuncts by (® — A). In this way we obtain 
an expression of the form 

V{(ae/)}vV{(/®&)}, 

with each a e cpr{A), b e cpr{B), as required. I 
Proposition 3.4.18 (T4) For all c,de CPNF(A ® B): 

Ic]a(BB ^ ldjA(BB C <A®B d. 

Proof. Take c— {a(B f)- We consider two subcases. 
(1): d=ib®f). 

IcjAesCldjAeB =^ MAQlbjA 
=^ a <A b 



(a ® /) <AeB (ft © /) by (©-<). 



(2): d=(/©6). 



lcjA(BB^ld]A^B ^ ^^Mb 

^ t<Bb 



C <A®B t 

=A(BB{f®t) (©-A) 



<AeB(/©&) (©-<)• 
The case for c = (/ © a) is similar. I 



59 



3.5 Logical Semantics of Types 

We now build on the work of the previous sections to give a logical semantics 
for a language of type expressions, in which each type is interpreted as a 
propositional theory (domain prelocale). 

Syntax of Type Expressions 

We define a set of type expressions TExp by 

a ::= OP(ai, . . . (OP G E„) | t | rec t.cr 

where t ranges over a set of type variables TVar, a over type expressions, 
and S = {Tjn}neLj is a ranked alphabet of type constructors. For each such 
constructor OP G E„, we assume we have an operation op^ : DPLl" 
DPLl which satisfies properties (Tl) - (T6) from the previous section with 
respect to a functor op^ : SDom" — > SDom. 

Logical Semantics of Type Expressions 

We define a semantic function 

C : TExp — > LEnv — y DPLl 
where LEnv is the set of type environments 

TVar — > DPLl 
as follows: 

£|0P((Ji,...,(j„)1p = op^(£|ailp,...,£Klp) 
Clrect.ajp = fix(F) = ^ ^^=(1), 

where F : DPLl DPLl is defined by 

F{A) = Cfajplt ^ A]. 
We write CA{a)p for A, where A — C[a]p. 
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Denotational Semantics of Type Expressions 

Similarly to the logical semantics, we define 

V : TExp — > DEnv — > SDom 

where DEnv = TVar — y SDom. In this semantics, each OP G S„ is inter- 
preted by the corresponding functor 

op^ : (SDom^)" — ^ SDom^ 

and red. a as the inititial fixed point of the endofunctor SDom^ — y SDom^ 
induced from t ^ (T{t). See [AsTl Chapter 5] and [SP821 iNiiSij . 

Theorem 3.5.1 (Stone Duality) Let pi G LEnv, po G DEnv satisfy: 

Vt G ly^r.KVtipDt) = Pit. 
Then for any type expression a, CAfajpL is the Stone dual ofVlajpo, i-e. 

(z) VlajpD = SpecCAMpL 
(tz) KQiVlajpo) = CAlajpL. 

Proof. Firstly, note that the two conclusions of the Theorem are equivalent, 
since Scott domains are coherent spaces. Thus it suffices to prove (i). 

It will be convenient to consider systems of simultaneous domain equa- 
tions 



^1 = • • • ,^n) 



— 0"n (6 ; • • • 5 



(3.1) 



where each (Xj is a type expression not containing any occurrences of rec. It 
is standard that any a G TExp is equivalent to a system of equations of this 
form, in the sense that the denotation of a is isomorphic to a component 
of the solution of such a system. Thus what we shall show is that A = D, 
where A is the solution of 13. II in DPLl and D is the solution in SDom. To 
make this more precise, we need some definitions. 

Firstly, we define a diagram in (SDom^)" as follows: 
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where 



and fk '■ -Dfc ~^ -Dfc+i is defined as follows: /o is the unique morphism given 
by initiality of Dq in (SDom^)"; 

where Dm gives the morphism part of the functor corresponding to a, and 
limA^. 



p^t = idpDj. Now it is standard that the solution of l3.1l in SDom is given by 



Similarly, we define a <-chain {An} in DPLl" by 



and we let A"^ be the diagram [A^, e^) in (SDom'^)", where : A^. — )■ A^-^i 
is the tuple of embeddings 

ekA ■ AkA Ak+iA {l<i<n) 



induced by Ak^i < Ak+i^i. Now the solution of I3.1l in DPLl is given by 
^oo = U ^fc = (|J Ak,i, . . . , y Ak,n)- 

k k k 

It is easily verified that the cone p : — )■ A^o with pk the embedding 
induced by Aj. < A^o is colimiting in (SDom'^)". Thus our task reduces to 
proving 

limA^ = limA^, 

for which it suffices to construct a natural isomorphism u : = A^. 

We fix (? = ((Ti, . . . , cr„) as the system of equations under consideration. 
For each r = (ri, . . . , r„) where each Ti contains no occurrences of rec, and 
k & u, we shall define: 
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• objects Df j^ and morphisms 

in (SDom^)"; 

• objects Af^k in DPLl" and morphisms 

• morphisms Uf^k '■ ^T,k Df^k- 

= (£|ri]p^[e ^ A,- fe], . . . , £[T„]p^[e ^ A,- ,]) 
/f^^o is the unique morphism given by initiahty. 

ef'^jk+i is the embedding induced by 

which holds since A^^k ^ A^^k+i by the usual argument. is the unique 
isomorphism arising from 1^ = 1^. 

J^f,k+l = (i^Tl,fe+l, ■ ■ ■ , J^T„,k+l), 

where t^r.fc+i is defined by induction on r: 

the isomorphism given in the hypothesis of the theorem. For r — OP(^i, . . . , 9^), 
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where r)r,k+i ■ ^T,fc+i = op^{Ae^^k+i, ■ ■ ■ , ^e^^k+i) is the isomorphism given 
by property (T6)(B) for OP. 
Note that 

^ = {Acf,k-i (^a,k)keoJ: 

and so, defining i/ : — > by Uk = i/ff^k, it remains to verify that for all 
A;: 

• Vk is an isomorphism 

• ^k+i °^k = fk° ^k- 

We argue by induction on k. The basis follows from the fact that 1^ = 1^, 
and the initiality of (1^, . . . , 1^) in (SDom'^)"'. For the inductive step, we 
assume: 

(i) ^k — ^s,k is an isomorphism 

{ii) Vk+l O efe = yff,k+l ° (^a,k = fa,k ° i^a,k = fk°^k 

and prove that for all r with no occurrences of rec, 
(in) Ur^k+i is an isomorphism 

{iv) Vr,k+2 ° er,k+l = /r,fe+l ° l^T,k+l 

(where (e^,fc+i, . . . , e^./c+i) = e(r,...,T),k+i, and similarly for fr,k+i)- Taking 
T — ai, l<i<nin (Hi) and (iv) then yields 

{v) Uk+i = I'g^k+i is an isomorphism 

and 

(yi) Vk+2 O Cfc+i = Vg,k+2 O eg^k+l = fa,k+i ° ^ff,k+l 

— fk+l°J^k+l, 

as required. We prove (iii) and (iv) by induction on r. 
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Case 1: T = ^j. In this case, (iii) just says that u^-. k is an isomorphism, and 
{iv) that 

l^ai,k+l O eai,k = fai,k ° l^ai,k: 

and we can use our outer induction hypothesis on k. 

Case 2: t — t. In this case, r denotes a constant functor, and 

/r,A;+l = ^(iD^.fc+i, 

l'r,k+l = J^T,k+2 = {p^t = p^t), 

SO {in) and (iv) hold trivially. 

Case 3: r = 0P{9i, . . . ,9m)- Applying our inner induction hypothesis to 
each 9i, we have 

(vii) i'0i,k+i is an isomorphism 
(via) m,k+2 o eei,k+i = fei,k+i ° vei,k+i- 
By definition, 

i^T,k+i = op^{^euk+i, ^'e,„,fc+i) o VT,k+i- 

Since op^ is a functor, by (f ii) op'^(z/0^ . . . , t'ern^fc+i) is an isomorphism; 
while r)T,k+i is given as an isomorphism by (T6)(B). This proves {Hi). Finally, 

J^T,k+2 o er,k+i 
= Op^(z/9i,fc+2, • • • , T^0m,k+2) ° r)T,k+2 ° e^,fc+l 

= op^(z/ei,fc+2, . . . , i^e^,fc+2) o op^(eei,fe+i, . . . , e^^^fc+i) o r/^_fc+i 
by (T6)(B) 

= op^(i/6)i,fe+2 o ee^,k+i, ^em,k+'i ° ee^.fe+i) ° ^r,fe+i 

= OP^(/6>i,fc+2 O i^6>i,fe+l) ■ ■ ■ ) fOm,k+^ ° ^0m,k+l) ° VT,k+i 

by (fiw) 

= op^(/ei,fe+2, . . . , /0^,fc+2) o op^(i/ei,fc+i, . . . , iy0^,k+i) o r/^,fc+i 

= fT,k+2 ° l^T,k+l-, 
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which proves (iv). I 

Wc finish with an observation that will be useful in the next Chapter. 
In our definitions of the constructions A ^ B etc. in section 4, we used 
the "semantic" predicates pr, con, t at the argument types A, B. Now 
suppose we are forming a theory as the denotation of a type expression, e.g. 
£|(T — >■ t|p; the arguments are A—\a\p,B = [r]p. Then it makes sense to 
use the syntactic predicates PNF(A), C0N(>1), Ti^A) etc. in our definition of 

A^B^C[a^ rjp. 

Using properties (Tl), (T2) and (T8) for each type construction, it is straight- 
forward to prove the 

Observation 3.5.2 For all a, p the same theory is obtained as whether 
syntactic or semantic predicates are used in each application of a type con- 
struction. I 
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Chapter 4 

Domain Theory In Logical 
Form 

4.1 Introduction 

In this Chapter we shall complete the core of our research programme, as 
set out in Chapter 1. We shall introduce a meta- language for denotational 
semantics, give it a logical interpretation via the localic side of Stone duality, 
and relate this logical interpretation to the standard denotational one by 
showing that they are Stone duals of each other. 

Denotational semantics is always based, more or less explicitly, on a typed 
functional met a- language. The types are interpreted as topological spaces 
(usually domains in the sense of Scott |Sco81t ISco82] . but sometimes metric 
spaces, as in |dBZ82t[Niv81] ). while the terms denote elements of or functions 
between these spaces. A program logic comprises an assertion language of 
formulas for expressing properties of programs, and an interface between 
these properties and the programs themselves. Two main types of interface 
can be identified |Pnu77] : 

Endogenous logic In this style, formulas describe properties pertaining to 
the "world" of a single program. Notation: 

P 1= 

where P is a program and is a formula. Examples: temporal logic 
as used e.g. in |Pnu77j : Hennessy-Milner logic |HM85j : type inference 
|DM82j . 
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Exogenous logic Here, programs are embedded in formulas as modal oper- 
ators. Notation: 

m 

where P is now a program denoting a function or relation. Examples: 
dynamic logic |Har79t IPraSl] , including as special cases Hoare logic 
|Hoa69] . since "Hoare triples" {(j)}P{ip} can be represented by 

and Dijkstra's wlp-calculus |Dij76| , since wlp{P,ip) can be represented 
as [P]iIj- (Total correctness assertions can also be catered for; see 
|Har79j .) 

Extensionally, formulas denote sets of points in our denotational domains, 
i.e. is a syntactic description oi {x : x satisfies </>}. Then P \= (p can be 
interpreted as a; G t/, where x is the point denoted by P, and U is the set 
denoted by 0. Similarly, [M](f) can be interpreted as f~^{U), where / is the 
function denoted by M (and elaborations of this when M denotes a relation 
or multifunction). In this way, we can give a topological interpretation of 
program logic. 

But this is not all: duality cuts both ways. We can also use it to give a 
logical interpretation of denotational semantics. Rather than starting with 
the denotational domains as spaces of points, and then interpreting formulas 
as sets of points, we can give an axiomatic presentation of the topologies on 
our spaces, viewed as abstract lattices (logical theories), and then reconstruct 
the points from the properties they satisfy. In other words, we can present 
denotational semantics in axiomatic form, as a logic of programs. This has 
a number of attractions: 

• It unifies semantics and program logic in a general and systematic set- 
ting. 

• It extends the scope of program logic to the entire range of denotational 
semantics - higher-order functions, recursive types, powerdomains etc. 

• The syntactic presentation of recursive types, powerdomains etc. makes 
these constructions more "visible" and easier to calculate with. 
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• The construction of "points", i.e. denotations of computational pro- 
cesses, from the properties they satisfy is very compatible with work 
currently being done in a mainly operational setting in concurrency 
|HM85t IWinSO] and elsewhere |BC85] , and offers a promising approach 
to unification of this work with denotational semantics. 

The setting we shall take for our work in this Chapter is SDom, the cate- 
gory of Scott domains. The significance of this as far as the meta-language is 
concerned is that we omit the Plotkin powerdomain construction. However, 
this construction will be treated, in the context of a particular domain equa- 
tion, in Chapter 5. Our reason for not including the Plotkin powerdomain, 
and extending the duality to SFP, is that this creates some additional tech- 
nical complications, though certainly not insuperable ones; lack of time and 
energy supervened. For further discussion, see Chapter 7. 

The remainder of the Chapter is organised as follows. In section 2, we 
interpret the types of our denotational meta-language as propositional the- 
ories. We can then apply the results of Chapter 3 to show that each such 
theory is the Stone dual of the domain obtained as the denotation of the type 
in the standard interpretation. In section 3, we extend the meta-language 
to include typed terms, i.e. functional programs. We extend our logic to an 
axiomatisation of the satisfaction relation P |= (P a term, a formula 
of the logic introduced in section 2), and prove that this axiomatisation is 
sound and complete with respect to the spatial interpretation x E U, where 
X is the point denoted by P, and U the open set denoted by 0. In section 4, 
we consider an alternative formulation of the meta-language, in which terms 
are formed at the morphism level rather than the element level; the compari- 
son between these formulations extends the standard one between A-calculus 
(element level) and cartesian closed categories (morphism level). We find a 
pleasing correspondence between the two known, but hitherto quite unre- 
lated, dichotomies: 

cartesian closed categories exogenous logic 

vs. ~ vs. 

A-calculus endogenous logic. 

Our axiomatisation of the morphism-level language comprises an extended 
and generalised dynamic logic |Pra8H IHar79j . We prove a restricted Com- 
pleteness Theorem for this axiomatisation, and show that the general validity 
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problem for this logic is undecidable. Finally, in section 5 we indicate how 
the results of this Chapter pave the way for a whole class of applications, and 
set the scene for the two case studies to be described in Chapters 5 and 6. 
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4.2 Domains as Prepositional Theories 



We begin by introducing the first part of a met a- language for denotational 
semantics, tlie type expressions, with syntax 

a ::= l|crxr|cr— )-r|cr©r| (cr)_L | P„cr | Pia \ t \ rect.a 

where t ranges over type variables, and a, t over type expressions. 

The standard way of interpreting these expressions is as objects of SDom 
(more generally as cpo's, but SDom is closed under all the above construc- 
tions as a subcategory of CPO). Thus for each type expression a we define a 
domain T>{a) = {D{a), Co-) in SDom; a x r is interpreted as product, a — )■ r 
as function space, cr © r as coalesced sum, {(t)± as lifting, PuCr and Picr as 
the upper and lower (or Smyth and Hoare) powerdomains, and rect.a as the 
solution of the domain equation 

t = a{t), 

i.e. as the initial fixpoint of an endofunctor over SDom. Other constructions 
(e.g. strict function space, smash product) can be added to the list. 

So far, all this is standard f |Plo81l [5P82] l Now we be gin our alternative 
approach. For each type expression cr, we shall define a propositional theory 
£(cr) = {L{a), <a, =<t), where: 

• L{a) is a set of formulae 

• <(t; =a are the relations of logical entailment and equivalence between 
formulae. 

£(cr) is defined inductively via formation rules, axioms and inference rules 
in the usual way. 



Formation Rules 



(f) e L{a), ip e l{t) 

{(p X ip) e L{a X r), {(p ^ ip) e L{a r) 

e L(cr), %l) e L{t) G L{a) 

{<l>®f), (/©^)GL((T©r) • (0)x e L{{a)^) 
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e L{a) 



G L{cr[rect.(T/t]) 



□0 G i:(P„(T), O0 G L(Pia) 



G L(rect.cr) 



We should think of (0 — )■ -0), 00 etc. as "constructors" or "generators", 
which build basic formulae at complex types from arbitrary formulae at sim- 
pler types. Note that no constructors are introduced for recursive types; we 
are taking advantage of the observation, familiar from work on information 
systems |LW84j . that if we work with preorders it is easy to solve domain 
equations up to identity. 

Examples 

We define separated sum as a derived operation: 

a + T = © {t)± 
Also, we define the Sierpinski space (two-point domain): 

0=(l)x 

Now we construct a number of familiar semantic domains: 



name 


expression 


description 


B 


1 + 1 


fiat domain of booleans 


N 


rec t.O®t 


fiat domain of natural numbers 


LN 


rec t.l + 1 


lazy natural numbers 


List(N) 


red. 1 + (N X t) 


lazy lists of eager numbers 


CBN 


rec t.M + {t^t) 


call-by-name untyped A-calculus 



Now we define some formulas in these types, to suggest how the expected 
structure emerges from the formal definitions. 
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name 


formula 


type 


-k 


it)± 


O 


true 


(*©/) 


B 


false 




B 





(*©/) 


N 


T 


(/©o) 


N 


n+1 


(/©n) 


N 


nil 


(*©/) 


List(N) 


:: nil 


(/©(Ox nil)) 


List(N) 


:: ± 


(/©(Oxi)) 


List(N) 


parallel or 


((true X t) — )■ true) 






A ((t X true) true) 






A ((false X false) false) 


(B X B) ^ B 



Auxiliary Predicates 

Before proceeding to the axiomatisation proper, wc shall define some aux- 
iliary predicates on formulas. These will be used as side-conditions on a 
number of axioms and rules (e.g. (^ — V —R) below). Thus it is important 
that they are recursive predicates, defined syntactically on formulae. The 
main predicates we define are: 

• PNF(0): (p is in prime normal form, defined by the condition that 
disjunctions only occur in (f) immediately under □. 

Then for (p in PNF, we shall define: 

• C(0): is consistent, i.e. so that we have 

c(0) ^ -(0 < /) ^ 

(where |-] is the semantics to be introduced below). 
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• T(0): requires termination, i.e. so that we have 

T(0) ^ -(t<0) ^ 

Of these, the idea of formal consistency, and its definition for function 
spaces, go back to |Kre59] . and also play a major role in |Sco81[ [Sco82] . The 
other predicates, as syntactic conditions on expressions, are apparently new 
(and in the presence of the type constructions we are considering, specifically 
function space and coalesced sum, the definitions of C and T are mutually 
recursive). 

C{t) = true 

AA,ej(/©V^.)) = -(T(A,,e/</'«)&T(A,e^V^,)) 

&c(A,,,0.)&c(A,,>,) 

C(A,e/O0i) = VzG/.C(0,) 

C(A.e/ ° V,eJ. = ^/Gn.e/'^^-ClA.e/^./w) 

T(A,e/</'.) = 3^GJ.T(0) 

T(0^^) = C(0)&T(^) 

T(0 X V^) = T(0) or T(V^) 

T(0©/) ^ T(/©0) ^ T(0) 

T((0)±) = true 

T(O0) ^ T(n0)^T(0). 

Once we have defined C and T, we can introduce the following derived 
predicates: 

CPNF((/)) = PNF((/)) and for all sub-formulae ip of 0, 
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PNF(V') C(V'). 


CDNF(0) 








#(0) 








m 





Now we turn to the axiomatization. The axioms of our logic are all "poly- 
morphic" in character, i.e. they arise from the type constructions uniformly 
over the types to which the constructions are applied. Thus we omit type 
subscripts. 

The axioms fall into two main groups. 

Logical Axioms 

These give each C{a) the structure of a distributive lattice. 

< -0, "0 < X 



(< — ref) (f) < (j) (< — trans) 



< X 



(j) = ip <f> ^ 'ip, ip ^ 4* 

it-I) <t><t (A-/) '^f ^"'^^/^ 
(A-E-L) (f)Ailj<(f) (A-E-R) 4)Ai^<i^ 

U-E) /<0 (V-/) ^'^f/l-,'^ 
{y-E-L) 0<0V'0 {y-E-R) ipKcpyip 

(A - dist) A V x) < (0 A V) V A x) 



75 



Type-specific Axioms 

These articulate each type construction, by showing how its generators in- 
teract with the logical structure. 

^ _ <^ < 0', ^ < ^' 



(0 X -0) < (0' X -0') 
X - A) /\((/), X ^jji) = (/\ 0i X 

iei iei iei 

x-V-L) (\/0^x^) = \/(0x^) 
iei iei 

x-y-R) {ct>x\Ji,i) = \J{<i>x^i) 
iei iei 

^- <) - V - V 



(0 ^ V') < {(/)' 
A) {4>-^ f\i'i) = f\{4>^^i) 



iei iei 

iei iei 

^-y-R) (0^ Y^.)^ (CPNF(0)) 
iei iei 

< "0 

(0e/)<(V'e/), (/e0)<(/eV') 
e-A-L) {/\^^®f) = f\{^^®f) 

iei iei 

®-A-R) {f®/\^P^) = /\{f®A) 
iei iei 

e-v-i?) (Y0,e/) = Y(0,e/) 
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(e-v-L) (/eYv'0 = V(/®^^) 

iei iei 

(0). < 

((•)±-A) (0AV^)x = (0)xA(^)x 

((•u-v) (V<^o± = V('^^K 



;□-<) 



(j)<^ 



□0 < U'^ 

(□-A) □/\0, = /\n^ 

ie/ iei 
(□-/) □/ = / 

(0-< ^ - ^ 

(O-V) 0\|<t^^ = \| 

iei iei 
(O-t) Ot^t 

(#) 0</ (#(0)) 

The axiom (□ — /) exemplifies the possibihties for fine-tuning in our 
approach. It corresponds exactly to the omission of the empty set from the 
upper powerdomain. 

To make precise the sense in which this axiomatic presentation is equiv- 
alent to the usual denotational construction of domains we define, for each 
(closed) type expression a, an interpretation function 

: L{a) Kn{V{a)) 
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by 



Ifh 




|(0X^)]^Xr = {<U,V> -.Uelcpja, V elijjr} 

1(0 ^^)].^, = {/ G D(a ^ r) : C M J 
m®f)Ur = {<0,u>:uem^-{±^}} 
U {±,er : e 

l{f®ij)Ur = {<l,V>:Vemr-{±r}} 

U {±,er : ±r G Mr} 
I(0)±l(<xU = {<0,n>:nG 

[O0]p,. = {SGD(P,a):5n 101.^0} 



where '■ V{a[rec t. cr/t]) = V{rec t. a) is the isomorphism arising from the 
initial solution to the domain equation t = cT(t). 
Then for 0, "0 G L{a), we define 



We now use the results of Chapter 3 to establish some fundamental prop- 
erties of our system of "Domain Logic" . 

Firstly, we note that operations on prelocales in the style of Chapter 3 can 
be distilled from our definitions for product, lifting and Hoare powerdomain. 
The reader will find no difficulty in carrying out the same programme for 
these constructions as that shown for function space, Smyth powerdomain 
and coalesced sum in Chapter 3. Now using 13. 5T2| we see that, for each closed 
a and any p G LEnv: 



V{a) 1= < ^ = 101. C 
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The following results are then immediate consequences of our work in Chap- 
ter 3. 

Notation. PNF((t) = {0 G L{a) : PNF(0)}, and similarly for CPNF(c7), 
CDNF(a). 

Proposition 4.2.1 For all (p e PNF(c7); 

(i) e pr{KniV{a))) 

(^^) C(0) ^ 101.^0 
(^^^) T(0) ^ ±a ^ M- 

Lemma 4.2.2 (Normal Forms) Forallcj) E L{a) , for some 'tp G CDNF((t); 

Now we define a relation 
^ C CPNF((t) X K{V{a)) : 

Proposition 4.2.3 is a surjective total function. 

Now we come to the main results of the section: 
Theorem 4.2.4 (Soundness and Completeness) For all (t),^} E L{a): 

C{a) \-(l)<ip <^ V{a) h < V'- 
Now we define 

CAia) ^ {L{a)/=^, 
the Lindenbaum algebra of C{a). 

Theorem 4.2.5 (Stone DuaUty) jCA{a) is the Stone dual ofV{a), i.e. 

(i) V{(t) = SpecCA{a) 
(ii) KVL{V{(t)) ^ CA{(t). 
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4.3 Programs as Elements: Endogenous Logic 

We extend our meta-language for denotational semantics to include typed 
terms. 



Syntax 

For each type c, we have a set of variables 

Var((7) = {x^^/^^^...}. 

We give the term formation rules via an inference system for assertions of 
the form M : a, i.e. "M is a term of type cr" . 

(Var) x"" : a 

(1 - /) ★ : 1 

M : a, N : T , M -.a -kt, N w 



(M,A^):(TXT ' ' let M be : v 

M ■ T M ■ a ^ T N ■ a 

(^-I) lli-il i^-E) ' 

^ ^ Xx'^.M-.a^T ^ ' MN:t 

(e-/-L) (e-/-i.) 



cases M of i{x''). Ni else N2 : f 



up(M) : ((7)_L lift Mto up(x'"). : T 

(o-i) TT7^r—fTz (°-^) 



(O-E) 



{\M\}r.Pia ' ' miu-.PuO 

M : PiG, N : P;r 
over M extend : P/t 

M:P^a, N-.PuT 
over M extend : P„t 
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0-+) — (□-+) — — 

M:Pia, N:PiT M : P^a, N : P^r 

^ ^ M ®i N : Pi{a X t) ^ ' M N : P^{a x r) 

M : akect.a/t] , M : rec t. a 

(rec-J) , , , ^ (rec-^) 



(/i-J) 



foldt,(,(M) : rect. o- ' ' unfoldt,<^(M) : o-[rec t. a/t] 

M ■ a 



fix". M : a 



We write A (a) for the set of terms of type a. Note the systematic presentation 
of these constructs as introduction and elimination rules for each of the type 
constructions, following ideas of Martin-Lof |Mar83] and Plotkin |Plo85j . 
Note that A, let, cases, lift, extend, fi are all variable binding operations in the 
obvious way. Also, note that {|.|}, extend arise from the adjunction defining 
the powerdomain construction; l±l is the operation of the free algebras for this 
adjunction; while ® is the universal map for the tensor product with respect 
to this operation |HP79j . 

We now introduce an endogenous program logic with assertions of the 
form 

M,r h 

where M : a, (p E L{a), and T G n(T{^3''(^) ~^ -^(^)} gives assumptions on 

the free variables of M. 

Notation 

r < A = Vx G Var. £ h Fx < Ax. 

For the remainder of this Chapter, we shall omit type subscripts and su- 
perscripts "whenever we think we can get away with it", in the delightful 
formulation of Barr and Wells |BW84l p. 1]. 



Axiomatisation 

_ . {M,T^(t>^}^eI {M,r[x^0,]hV;},g, 
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M,r\-(f) N,Thij M,rh(0x?/') N,T[x^(l),y^ij]h9 

{M,N),Th {(f) X ij) let M be {x,y).N,Th 6 

M,r[x^0]h^ M,rh(0^V^) iv,rh0 

Ax.M, r h ((/) ^ ^) Miv, r h 

M,rh0 M:(0©/) (04) Ari,r[x^0] 



«(M), r h (0 © /) cases M of z(x). A^i else j{y). N2,T h 6 

AT, Thy; M: (/e^) (#) iV2,r[y hg 

j( AT) , r h (/ © 7/^) cases M of i{x) . Ni e\se j{y). N2,T ^ 9 

M,rh0 M,rh(0)x N,T[x ^ (1)]^ tjj 

up(M),rh (0)^ lift M to up(a;).iV,r hT/- 

M, r h M, r h 



{|M|};,rhO0 {|M|K,rhn0 

M,rhO0 A^,r[x ^ 0] h ov^ M,rhn0 Ar,r[x ^ 0] h □V' 

over M extend {\x\}i. N,rh Oip over M extend N,r h Dip 

M, r h O0 AT, r h ov- M, r h 00 AT, r h 00 
M AT, r h O0 M AT, r h ov^ m w„ at, r h 00 

M, r h O0 A^, r h ov^ M, r h 00 a^, r h n^/- 

M®z Ar,r h 0(0 X ip) M(g)uN,Th 0(0 X V) 

M, r h M, r h 



fold(M),rh0 unfold(M),r h 
/ix.M,rh0 M,T[x ^ ip 

/ix. M, r h 

Note that there is one inference rule for h per formation rule in our syntax. 
Thus we can refer e.g. to rule (h — x — i?) without ambiguity. Note the role 
of the convergence predicate in (h — © — E); it plays a similar role in 
the elimination rules for the other "strict" constructions of smash product 
[PloSlj Chapter 3 p. 1] and strict function space |Plo81l Chapter 1 p. 11], 
which we do not cover here. 
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Semantics 



Following standard ideas [PloSlj ISP82t IPlo76] , we now give a denotational 
semantics for this meta-language, in the form of a map 

I-l. : A{a) Env V{a) 
where Env = no-{^^''(^) ~^ ^(^)} environments. 



Ixjp 

|(M,iV)]p 

|let M be {x,y).N}p 



[^(M)]p 

b{N)]p 
[cases M of 

z(x).iVi e\sejiy).N2jp 



[up(M)]p 

[lift M to up(a;). A^Ip 

mup 

[over M extend A^]p 
[M iV]p 
[M ®, iV]p 



px 

<[M]p, [Njp> 
lN}p[x ^d,y^e] 
where 

<rf,e> = [M]p 

<0,[Aflp>, [MIp^ 
± [MIp = 

<l,[iV]p>, [iV]p^_ 
± [iV]p = _ 



[iVi]p[xH^rf], [M]p = <0,f/> 

[iV2lp[xh^e], [Af]p = <l,e> 

^ ±, [M]p = ± 
<0, [M]p> 

[Ar]p[x ^^ t/], [M]p = <0,rf> 

±, [M]p = ± 
i(Mp) 

U{[iV]p[x^c/]:de[M]p} 
([M]p) U ([iV]p) 
([M]p) X ([iV]p) 
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m\}u]p = uiMjp) 

[over M extend Njp = [J{lN}p[x ^ d] : d e |M]p} 

[MW„iV]p = (|M1p) U (liVlp) 

iM^uNjp = ([M]p) X (liVlp) 

Ifold(M)lp = ailMjp) 

|unfold(M)]p = a-H[M]p) 

Ipx.Mjp = Uke^dk 

where 

do = ±, 4+1 = [M]p[x t-^ 4] 

Here a is the initial algebra isomorphism as in Section 2 page [TH] We can 
use this semantics to define a notion of validity for assertions: 

M, r h = Vp G Env. p 1= r ^ [M]<,p 1= 

where 

p 1= r = Vx G Var. px \= Tx 
and for d G -D(cr), G i^(cr): 

h = e 10].. 

We can now state the main result of this section: 

Theorem 4.3.1 The Endogenous logic is sound and complete: 

VM, r, 0. M, r h M, r h 0- 

We can state this result more sharply in terms of Stone Duality: it says 
that 

r^;i({[0]=„:M,rh0}) = |M].p, 

where 

T]^ : V{(t) = Spec CA{(t) 

is the component of the natural isomorphism arising from Theorem 14.2 .5 j i.e. 
that we recover the point of T>{a) given by the denotational semantics of M 
from the properties we can prove to hold of M in our logic. 
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We now turn to the proof of Theorem 14.3. 1[ Our strategy is analogous 
to that of Chapter 3; we get Completeness via Prime Completeness. Firstly, 
we have: 

Theorem 4.3.2 (Soundness) For all M, T, (p: 

M, r h =^ M, r h 0- 

Proof. By a routine induction on the length of proofs in the endogenous 
logic. We give two cases for illustration. 

1. Suppose the last step in the proof is an application of (h ^ ~ I)'- 

M,r[x ^ 0] h 

Xx.M, P h (0 ^ V^) 
By induction hypothesis, M, P[x t-)- 0] |= -0, i.e for all p |= P, d G Vi^a), 

dG|0l =^ lM\p[x^d]em, 

which implies 

Xx.M J 1= (0 ^ V)- 

2. Next we consider (h — □ — i?): 

M,Phn0 A^,P[x ^ 0] h □V' 
over M extend N.VrUijj 

By induction hypothesis, M, P |= ^0 and A^, P[a; h-> 0] |= □■0. Hence for 
p 1= P, [M]p C 10], and for d G 

rfGl0l =^ [N\p[x^d]^m. 

Thus 

=^ [over M extend N]p C [^] 

^ over M extend A^, P h ' 

Next, we shall need a technical lemma which describes our program con- 
structs under the denotational semantics. 
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Lemma 4.3.3 Foru e lC{V{a)), v E K,{V{t)), w e lC{V{v)), X e pfne(/C(r>( 
Y e pfU^{V{T))), Z e Pfne(/C(P((7 X t))), e lC{V{rect.a)), W2 e 
/C(P((T[rect. a/t])): 

(i) {u, v) □ [(M, N)]p ^ -u □ [M]p & V □ [iV]p 
(ii) w ^l\et M he {x,y).N}p ^ 3u,v. 

{u, v) □ [M]p & w □ IiV]p[x h-^ M, y h-^ v] 
(iii) v] □ lAx.Mjp <^ I) □ |M]p[a; I— >■ li] 
(i^;) □ IMA^Ip ^ 3u.[u,v] □ |Mlp&ii □ {Njp 
(v) <0,u> C [^(M)]p 4=^ M □ |M]p 

<l,t;>C|j(iV)]p ^ t^C[iV]p 
(vi) w ± =^ w C. leases M of i{x). Ni e\se j{y). N2IP 

3u ^ ±. <0, ii> □ \M\p & w □ |A^i1p[x ^ u\ 

or 

3v ±. <1, v> C |M]p & w □ lA^2lp[a; ^ i;] 
(vii) <0,M> □ Iup(M)]p ^ M □ lM]p 
(viii) -u 7^ ± =^ V □ |lift M to up(x). N\p <^ 
3ti. <0, u> □ |M]p & V □ \N\p\x ^ li] 

(ix) □ [flMD^lp 4» Vx e □ |M1p 

(x) iY C lover M extend iV]p <^ 3X ;X □ [M]p 

(xi) ;X □ \M l±)i Ar]p ^ ;X □ |M]p or^X □ |Ar]p 
(xii) iZ □ |M (8); ATjp ^ 3X, y. |Z □ XX ®i iY 

hiX\L \M\ph]X □ \N\p 
(xiii) tX E [{|M|}„]p ^ 3a; e X.x C lM]p 
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(xiv) tY ^ lover M extend Njp ^ 3X. □ {Mjp 

(xv) tX C [M W„ Njp ^ C |M]p & □ |iV]p 

ktXnlMjpktYHlNjp 
{xvii) wi □ [fold (M)]p ^ a-^(wi) □ |M]p 
(xt;m) W2 C |unfold(M)]p ^ a(?i;2) C |M]p 
(xix) M C |/ix.M]p 3k E uj , Uq, . . . , Uk- Uq = -L Sz = u 
kWi -.0 <i < k. Ui+i □ lM]p[x ^ u,] 

Proof. The content of tliis Lemma is all quite standard, at least in the 
folklore. It amounts to a description of the combinators underlying the de- 
notational semantics of terms as approximable mappings. Most of it can be 
found, couched in the language of information systems, in |Sco82j . and for 
neighbourhood systems in |Sco81j . We shall just give a couple of the less 
familiar cases for illustration, 
(xii). 

• □ [M ®z Njp 

^ iZC mix (S)i IF : ;X □ {Mjp & □ {Njp} 
since 0/ is continuous 

^ 3x, Y. iz □ IX ;r & ;x □ |M]p & ;r □ {Njp 

since ^Z is finite. 

(xiv). 

• tY ^ lover M extend Njp 

^ tY^ Utxg[A/lp U{IA^1p[^ ^u]:uem 

since extend is continuous 
^ 3X. tX C |M]p L^n U„,|^|iVlp[x ^ m] 
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since '[Y is finite. The argument is completed by observing that 
U mp[x^u]= \JlNjp[x^u]. I 

Now for Prime Completeness. 

Notation. CPNF(r) = Vx G Var. CPNF(rx). 

Theorem 4.3.4 (Prime Completeness) CPNF(r) andCPMF((j)) imply that 

M, r 1= ^ M, r h 

Proof. We begin by establishing some useful notation. Given P with 
CPNF(P), we define an environment p-p by: 

Va; G Var. Fx <^ p^x. 

This is well-defined by Proposition 14.2.31 Similarly, let u. Now we 
have: 

M,P|=0 ^ nC|M]pr- (4.1) 

The proof proceeds by induction on M. As the various cases all share a 
common pattern, we shall only give a selection of the more interesting for 
illustration. 

Abstraction. We argue by induction on 0. The inductive case, which can 
only be a conjunction, since is in CPNF, is trivial. We are left with the 
case for a generator (0 — )■ -0), where 0, ip are in CPNF. Let <^ u, ip <^ v. 
Then 

• Ax.M, P 1= (0 ^ %p) 

[u,v]nl\x.Mjpr O 
vnlMjpr[x^u] |4X3](iii) 

^ M,P[x ^^ 0] h O 
=^ M, P[x i-> 0] h -0 ind. hyp. 

Ax.M, P h (0 ^ ^) (h-^-J) 
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Application. 



• MN, r h 

^ M □ [MN\pr 

3v. [v, u] C |M]p kvH {Njp 

M, r h (V^ ^ 0) & A^, r 1= ^ 



S33Kiv) 



where ip <^ f 

^ M, r h (t/- ^ 0) & AT, r h 7/- 
MN, r h 




Case expression. 

cases M of A^i else j{y). N2,T ^ (p 
<^ M C [cases M of A^i else j{y). A'sjpr O 

If M = ±, then C\- t < (f), and the required conclusion follows by (h — A) and 
(h — <). Otherwise, by I4.3.3( vi). either 

(i) 3ui ^ ±. <0, ui> C lM]pr & « ^ [A^ilpr[a; ^ mi] 



(ii) 3m2 ^ ±. <1,M2> C |M]pr & M ^ Mpr[a; ^ M2]. 
We shall consider sub-case (i); (ii) is entirely similar. Let (pi ui. Then 

• <0,ui> ^{Mjpr tu^lNi]pr[x ^ui] 



cases M oU{x).Nie\se j{y).N2,T \- (p by (h - © - 
since mi 7^ ± implies 0i| by 14.2.11 

Tensor product. We write (p e CPNF(P„(cr x r)) as U\J .^-^[(p x and 
define Z = t{(^i! Vi) : i E I}, where 

(pi <^ Ui, %pi Vi [i e I). 



or 



^ M,rh(0i©/)&Ari,r[xh^0i] h0 

^ M,rh(0i©/)&iVi,r[a;^(/)i]h0 







ind. hyp. 



89 



Now 

. M®„iV,r|=nV,e,(0x^) 

ZnlM(^uN]pr O 
3X, Y. tX □ [M]pr IN\PT 
k^Z^^X ®u W = t(X X Y) aXSKxvi) 

Let X = {uk}keK, Y = {MieL, and define 
0fc 4^ Uk {k G K), ipi » vi {I E L). 

Now 

. ^X\Z[M\pTkW^lN\pT 

M,r H □ Vfce/.'/'^ & 1= □ V^eL^^^ O 
^ M, r h □ Vfcex 0fc & iV, r h □ V^eL ind. hyp. 

Finally, 

^ ^ (Vfeei^ 0fc X VieL V^O = V(fcj)e^xL(0fc ^ ^i) (x - V) 

< V^g/(0^ X ^i) 

since Z □ t-^ implies 

V/c, /. 3i. £ h X t/'z) < (0i X V^j). 
Hence by (h — <), 

M®, Ar,rhnY(0iX^i). 

Extension. As in the case for abstraction, it suffices to consider the case 
when is a generator U\/.^^(f)^. We define Y = {ui}i(zi, where 0j <^ Ui, 
{ie I). Now 

• over M extend A^, T |= □ Vie/ 

^ tY ^ lover M extend N]pr O 

^ 3X. tX □ |M]pr & ^ U„ex I^lPr [x ^ u] MM^^) 
3X. tX □ |A'/]pr SzWeX.tY n lN}pr[x ^ u] 
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Let X = {vj}j(=j, ijj Vj, (j G J). Then 

• □ |M]pr & Vn G X. tl" □ lNjpr[x ^ u] 

^ M, r h □ V,gj & Vj G J. N, T[x ^ ^j] \=4> O 
M, r h □ Vjej -ipj & Vj G J. A^, r[x ^/-j] h ind. hyp. 

^ M,rhnV,ej^,&Ar,r[xh^ V,ej^.]^0 " V) 

^ over M extend {|x|}„.A^,r h (h - □ - 

Recursive types. Firstly, we note that for cj) G C{rect. a), 
(f) u (f) a^^(^u), 
since £(rec t. a) = C{a[rec t. cr/t]). Now, 

• fold(M),r 1= 

n □ |fold(M)]pr O 
a~\u) □ |M]pr I133i:xvii) 

^ M, r h O 
^ M, r h ind. hyp. 

^ fold(M),rh0 (h-rec-J) 

Recursion. 

• fix.M, r 1= 

^ u □ |/ix.M]pr O 
=^ 3A; G oj. Mo, . . . , Uk- uq = -L Sz Uk = u 

L^i -.0 <i < k. Ui+i □ |M]pr[a; ^^ Wi] I1331(xix). 

Let be the least such k (as a function of m for u □ [p,a;.M]pr, keeping 
HX.M, r fixed). We complete the proof for this case by induction on 
with u. 
Basis: 

\\u\\ = ^ u = ± t < (j) ^ fix.M, F h 0, 
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by (h - A) and (h - <). 

Induction step: \\u\\ = k + 1. Then by definition of \\u\\, for some v. 

u ^ |M]pr[a; ^ f ] & ||f|| = k. 

Let ip V. Then 

• u ^ lM]pr[x ^ v] k \\v\\ = k 

^ M,T[x^tlj]^(f) O 



Finally, we can prove Theorem I4.3.1I One half is Theorem I4.3.2I For the 
converse, suppose M, T \= (p. We can assume that Fx 7^ /0 for all x E Var, 
since otherwise we could apply (h — V) to obtain M, F h 0. Let V = FV(M), 
the free variables of M. (We omit the formal definition, which should be 
obvious). We define Fy by 



and fiX.M, T \- ijj inner ind. hyp. 

=^ M, T[x i/j] h & fix.M, T \- ip outer ind. hyp. 
/ix.M,Fh0 (h-/i-/). I 




otherwise. 



Then by standard arguments we have: 



M, F h ^ M, Fy h 
M,Fh0 ^ M,Fyh0 



(4.2) 
(4.3) 



Now by Lemma [4.2.21 we have 



£h0 = \/0. 



and for all x G V^, 



£ h Fx = Y V': 



meaning [Tx] ^ 0, or, equivalently by Theorem 14. 2.5| Ci^ Fx = f 
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with each 0j, ipj in CPNF. Moreover, our assumption that Tx ^ f for all x 
implies that ^ for all x E V. Given / G IIxgv (^•^- ^ choice function 
selecting one of the disjuncts ipfx, fx G Jx, for each x G V), we define Tf by: 

V'/x, x G 
t otherwise. 

Then 



• M, r h 






^ M, Ty 1= 






^ v/Gn.ev"^- 




(h — <), Soundness 




3i G /. M, Tf 1= 0i 




^ v/Gn.,v^.- 


3i G /. M, h 0i 


Prime Completeness 




M, h 


(^-<) 






(h-V) 


^ M, r h 




14.31 1 
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4.4 Programs as Morphisms: Exogenous Logic 



We now introduce a second extension of our denotational meta-language, 
which provides a syntax of terms denoting morphisms between, rather than 
elements of, domains. This is an extended version of the algebraic meta- 
language for cartesian closed categories |Poi86llLS86] . just as the language of 
the previous section was an extended typed A-calculus. Terms are sorted on 
morphism types (cr, r), with notation / : (cr, r). We shall give the formation 
rules in "polymorphic" style, with type subscripts omitted. 



Syntax of morphism terms 

• id : CT, a) • ^ 

. 1 : (a, 1) 

f : {v,a) g: {v,t) 



<f,g> ■■ {v,(r X r) 
f : {aXT,v) 



* p:[(TXT,(Tj • C]:[(JXT,T) 

Ap : (((T — > r) X a, r) 



A(/) : {a,T-^v) 

1 / N / \ f '■ g : T,v) 

[/, g\:{cT® r, v) 

/:(a,r) 



up : {a, {a) 



lift(/):((aU,r) strict(/) : (a, r) 

. {|-|}, : (a,P,a) • {| ■ |}„ : (a, P„a) 
^ f:{a,Pir) ^ f:{cr,PuT) 

• fl -.{Pia^Pir) * fl:{P^a,P^T) 

• +1 : {Pia X Pia, Pia) • +„ : {P.^a x P^a, P^a) 

• : {Pia X PiT, Pi{a x r)) • ©„ : (P„a x P„r, P„(o- x r)) 

• fold : ((j[rec t. a/t], rec t. cr) • unfold : (rec t. cr, cr[rec t. a/t]) 

• Y : (cr cr, (t) 

We now form an exogenous logic VDC (for dynamic domain logic, because of 
the evident analogy with dynamic logic [PraSll IHar79] ) . T>T>C is an extension 
of £, the basic domain logic described in Section 2. 
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Formation Rules 

We define the set of formulas DDL((t) for each type a. 

f:{a,T) ^eDDL(r) 



• L{a) C DDL((7) 

• t,f e DDL(a) 



[f]^ e DDL(a) 
e DDL(fT) 



A^,0 e DDL((j) 

Axiomatization 

The following axioms and rules are added to those of C. 

(j)<ilj 

ui, • 

iei iei iei iei 



[id]0 = . [f;g]4> = [f]W 

[</,^>](0xV') = [/]0AMV' 

[p]<P={<Pxt) . [q]^ = (tx^) 

[i](0 = . [i](/©V') = / (Vi) 

M(0©/) = / • m(B^) = ^ 

[[/, ^]]</. = ([strict(/)]</. © /) V (/ © [strict(^)]</.) 
< [strict(/)]V^ ^'^^^ 

[up](0)x = . [lift(/)](/) = (04) 

[{l-yo0 = . [{|-yn0 = 

< [f]0^ , '/'<[/]aV^ 
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[+i]0(f) = (O0 xt)\/{tx 0(f)) 

[^i]0{(p xiP) = {Oct) X Oil^) 



[fold]0 



[unfold]^ 



0<[Y]V> 



At this point, we could proceed to give a direct treatment of the semantics 
and meta-theory of WC, just as we did for the endogenous logic in Section 3. 
This would ignore the salient fact that our morphism term language and the 
typed A-calculus presented in Section 3 are essentially equivalent. Instead, 
we shall give a translation of morphism terms into A-terms. The idea is that 
a morphism term / : (cr, r) is translated into a A-term (/)° : cr — >■ r. 

Translation 



(id)° 


= Xx.x 






= Xx.ignUYx) 




(1)° 


— Xx.ic 




(</,^>)° 


= Xx.{{frx,{grx) 




(p)° 


= Xz.\et z be {x, y). x 




(q)° 


= Xz.\et z be {x, y). y 




(A(/))° 


= Xx.Xy.{fy{x,y) 




(Ap)° 


— Xf.Xx.fx 




(0° 


— Xx.i{x) 




(r)° 


= ^y-j{y) 






= Xz. cases z of i{x). {f)°x 


else {g)°y 


strict(/))° 


— A2;. cases i{{f)°x) of i{x) 


. {f)°x else j{y).y 


(up)° 


— Xx.up{x) 




(lift(/))° 


= Xy.\\hytoup{x).{fyx 
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({|-|K)° = Ax.{|a:|}„ 

(/t)° = Xz.over z extend {\x\}i. {f)°x 

{fly = A^.over z extend 

= Az.let z be (x, y). X ttl; y 

(+«)° = Xz.\et zhe {x,y).x\Sy,y 

= A2;.let 2; be y). a; 0; y 

= A2;.let 2; be (x, y). a; 0u y 

(fold)° = XxMd{x) 

(unfold)° = Ax.unfold(x) 

(Y)° = A/.//X./X 

Semantics 

Let A1(cr, r) be the set of morphism terms of sort (cr, r). Since 

SDom(P((j),P(r)) ^ P(ct ^ r) 
by cartesian closure, we can get a semantics 

l-U : M{a,T) SBoin{V{a),V{T)) 

for morphism terms from the above translation. We use this to extend our 
semantics for C from Section 2 to WC: 

im = mr'rn) 

(the other clauses being handled in the obvious way) . Note that the denota- 
tions of formulas in VDC are still open sets (continuity!), but need no longer 
be compact-open, since compactness is not preserved under inverse image in 
general. 

This semantics yields a notion of validity for WC assertions: 

h0<V' = [01 CM- 
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Theorem 4.4.1 WC is sound: 

Proof. The usual routine induction on the length of proofs. We give a few 
cases for illustration. 
Left injection. 

« im®f)\ - m)-'m®f)D 

= {d : <o, d> e [(0 e /)]} u {± : ± e [(0 e /)!} 

Strictification. Note that 



Istrict(/)lrf 

Now, 



/d otherwise 



H^±^m^yde [01. [strict(/)ld = /d, 
which implies 

m Q am ^ m q [[strict(/)]v^i. 

Union. 



= {iX,Y) 



(xuF)n|0]7^0} 
xn[0]^0orynl0]^0} 
X n 101 ^ 0} 
u{(z,r):Fn[0]^0} 

|(O0 X t) V (t X 



= {(x,y):xc|0i&yc|0i} 
= |(n0xn0)l. 
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Recursion. 



• m ^ urn 

v/gM.y/gM 

V/G|0]n|(^^^^)].Y/ = /(Y/)e[^l. I 

Next, we turn to what can be proved in the way of completeness. A Hoare 
triple in WC is a formula (p < [f]tp such that and ip are formulas of C, 
i.e. do not contain any program modalities. 

Theorem 4.4.2 (Completeness For Hoare Triples) Let (p < [f]'ip be a 

Hoare triple. Then 

vvc h < [/]^ ^ h < [m- 

This result can either be proved directly, in similar fashion to Theorem 14.3. 1|: 
or it can be reduced to that result, since 

(where Vt is the constant map x ^ t). It thus suffices to prove: 

(/)°,r,h(0^7A) =^ VVC^<P<[f]i;. 

In either approach, the argument is a straightforward variation on our work 
in section 3, which we omit since it adds nothing new. 

Finally, we come to a limitative result, which differentiates VDC from the 
endogenous logic of Section 3, and shows that the restricted form of 14. 4. 21 is 
necessary. The result is of course not "surprising" , since VDL is semantically 
more expressive than the endogenous logic, allowing the description of non- 
compact open sets. 

Theorem 4.4.3 The validity problem for VDC is Il2-complete. 

Proof. We will need some notions on effectively given domains; see [Plo81 
Chapter 7]. Firstly, each type expression in our meta- language has an ef- 
fectively given domain as its denotation (since effectively given domains 
are closed under recursive definitions and all our type constructions |Plo8H 
Chapter 7 pp. 16, 21, Chapter 8 pp. 16, 54]). Similarly, each term / : (a, r) 
denotes a computable morphism from T>{a) to T>{t). Moreover, each G 
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£((t) denotes a compact-open, and hence computable open set in V^cr); and 
computable open sets are closed under inverse images of computable maps 
|Plo8H Chapter 7 p. 9], and under finite unions and intersections |Plo81 
Chapter 7 p. 7]. Thus each formula of WC denotes a computable open 
set, and the problem of deciding the validity of the assertion (j) < if) can be 
reduced to that of deciding the inclusion of r.e. sets [0] C [■?/;], which as is 
well-known |Soa87l IV.1.6] is n°. 

To complete the argument, we take a standard n2-complete problem, and 
reduce it to validity in T>T>C The problem we choose is 

Tot = {x:W^ = n} 

i.e. the set of codes of total recursive functions |Soa87^ IV. 3. 2]. To perform 
the reduction, we proceed as follows: 

• The type N_l = rect. (l)_L©t is used to model the fiat domain of natural 



• We can show that every partial recursive function : N — N, thought 
of as a strict continuous function of type N_l — N_l, can be defined by a 
morphism term. This is quite standard: the numerals are constructed 
from the injections, lifting, and fold and unfold; the conditional and ba- 
sic predicates from source tupling; and primitive recursion from general 
recursion (Y) and conditional. We omit the details. 

• In particular, we can define a morphism term : (N^, such that: 



• Now given a partial recursive function represented by a morphism 
term /, the totality of (p is equivalent to the PP£-validity of 



numbers. 




otherwise 



iV< [/][iV]0 



where = ((t)^ © /) (so |0] = {0}). I 
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4.5 Applications: The Logic of a Domain Equa- 
tion 



A denotational analysis of a computational situation results in the descrip- 
tion of a domain which provides an appropriate semantic universe for this 
situation. Canonically, domains are specified by type expressions in a meta- 
language. We can then use our approach to "turn the handle" , and generate 
a logic for this situation in a quite mechanical way. 

We shall now go on to develop two case studies of this kind, in the areas 
of concurrency (Chapter 5) and the A-calculus (Chapter 6). 
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Chapter 5 



Applications to Concurrency: 
A Domain Equation for 
Bisimulation 

5.1 Introduction 

Our aim in this Chapter is to treat some basic topics in the theory of concur- 
rency from the point of view of domain logic. This will serve as a major case 
study for the general theory developed in the previous two Chapters; and will 
also weave another of the strands mentioned in Chapter 1 into our narrative. 
Our aim is not only to exemplify the general theory, but to apply it in order 
to shed some new light on concurrency. In particular, we shall study bisim- 
ulation [ParSH IMil83t IHM85] . This notion has emerged as one of the more 
stable and mathematically natural concepts to have been formulated in the 
study of concurrency over the past decade. It is commonly accepted as the 
finest extensional or behavioural equivalence on processes one would want to 
impose. To date, bisimulation has been studied almost exclusively from the 
operational and logical points of view. Our aim is to show that this notion 
can be captured elegantly in the setting of domain theory, using Plotkin's 
powerdomain construction jPlo76] . Moreover, we shall make extensive use of 
the logical form of domain theory developed in the previous Chapter. Thus 
our motivation can be summarised as follows: 

• To show that more can be done in the sphere of concurrency using 
domain-theoretic and denotational methods than seems to be com- 
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monly realised. 

• To analyze the apparently ad hoc and "application oriented" notions of 
bisimulation over labelled transition systems and Hennessy-Milner logic 
by means of the general, mathematically basic, and "reusable" notions 
of domain theory, specifically type constructions and the solution of 
recursive domain equations. 

• To form part of our general programme of connecting 

1. Domain theory and operational notions of observability 

2. Denotational semantics and program logics. 

This programme is made systematic by using the information conveyed 
in the syntactic description of domains by type expressions. It can be 
argued that a full domain-theoretic analysis of some computational 
situation is only obtained when we have written down an explicit type 
expression, rather than using some ad hoc construction of a cpo. At 
any rate, the benefits which flow from having such a description are 
very considerable. Using the ideas developed in the previous Chapter, 
we can derive a propositional theory from the type expression, and use 
this to explore the "observational logic" of the computational situation. 

We now summarise the further contents of the Chapter. After reviewing 
some basic notions on transition systems etc., we introduce a domain of 
synchronisation trees defined by means of a domain equation (recursive type 
expression). Then we present a domain logic for transition systems, which 
is derived from this domain equation in the sense of Chapter 3. The main 
result of section 4 is that the finitary part of this logic is the Stone dual of 
our domain of synchronisation trees. 

In section 5, we present a number of applications of this logic. It is 
shown to be equivalent to Hennessy-Milner logic in the infinitary case, and 
hence to characterise bisimulation. In the finitary case, it more powerful 
than Hennessy-Milner logic, and we obtain a more satisfactory characterisa- 
tion result for it; namely, it is shown to characterise the "finitary part" of 
bisimulation for all transition systems. 

We also develop an extension of Hennessy-Milner logic which is equiva- 
lent to the finitary domain logic. The infinitary domain logic is then used 
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to axiomatize a suitable notion of "finitary transition system". These sys- 
tems are shown indeed to be finitary in a strong sense — their bisimulation 
preorders are algebraic. Finally, the domain of synchronisation trees (i.e. 
the spectral space of the logic) is shown to be finitary qua transition sys- 
tem, and moreover to be final in a suitable category of such systems. This 
yields a syntax-free "universal semantics" for transition systems, which is 
fully abstract with respect to bisimulation. 

In section 6, we give a conventional (syntax-directed) denotational se- 
mantics for the concurrent calculus SCCS |Mil83] . based on our domain of 
synchronisation trees. A full abstraction result is proved for this semantics; 
as a by-product, our domain is shown to be isomorphic to Hennessy's term 
model |Hen81j . 
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5.2 Transition Systems and Related Notions 

Wc begin with the basic notion of a labelled transition system (with diver- 
gence), which abstracts from the operational semantics of many concurrent 
calculi. 

Definition 5.2.1 A transition system is a structure 

(Proc, Act,^^,t) 
where: 

• Proc is a set of processes or agents. 

• Act is a set of atomic actions or experiments. 

• — > C Proc X Act X Proc (notation: p A- q). 

• t ^ Proc (notation: p'\). 
We write 

p; = -(pt). 

We read p A g as "p has the capability to do a and become (i.e. change 
state to) g" ; pt ^ "P t^^Y diverge" ; and pi as "p definitely converges" . We 
define 

sort(p) = {a e Act | 3g, r.p — )■* g A r} 

where p — >■ g = 3a e Act.p A q, and is the reflexive, transitive closure 
of ^. 

We now define a number of finiteness conditions on transition systems: 

image-flniteness Vp e Proc, a e Act. {g | p A g} is finite, 

sort-flniteness Vp e Proc. sort(p) is finite, 

finite-branching Vp e Proc. {g | p — > g} is finite, 

initials-finiteness Vp e Proc. {a e Act | 3g.p A g} is finite. 

Each of these properties has a weak form, obtained by making it condi- 
tional on convergence. For example: 
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weak image-finiteness Vp G Proc, a G Act. pi =^ I P — > g} is finite. 

We now introduce a particularly useful source of examples for transition 
systems, the synchronisation trees. Given a set Act of actions, SToo(Act), the 
synchronisation trees over Act, are defined as the (proper) class of infinitary 
terms generated by the following inductive definition: 

{aj G Act,t^ G SToo(Act)}^gj 

Eie/flA [+^] e SToo(Act) ^ • ' 

where [+^] means optional inclusion of as a summand (i.e. there are really 
two clauses in this definition). We write 

Q = ttiti + Q. 

The subclass of terms formed using only finite sums is denoted STi^(Act). 
Given a synchronisation tree t formed according to 15.11 we stipulate: 

• tt iff ^ is included ClS db summand. 

• t ^ ti for each summand Ojij {i E I). 

This defines a (large) transition system (SToo(Act), Act, — '['); restriction 
to a subset of synchronisation trees yields a small transition system. In 
particular, by choosing a canonical system of representatives for ST^(Act) 
which is closed under subtrees we obtain a countable transition system of 
finite synchronisation trees, which by abuse of notation we refer to also as 
ST^(Act). 

We are now ready to introduce the main concept we will study. 

Definition 5.2.2 ([ParSll IMilSOl IMilSlj ) A relation R C Proc x Proc is a 
prebisimulation if, for all p,q E Proc: 

pRq =^ Va G Act. 

• p A- p' =^ 3q'. q q' h p'Rq' 

• pi =^ qi [q q' =^ 3p'.p A p' k.p'Rq']. 

We write 

p^^q = 3i?. Ris a. prebisimulation and pRq. 
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For an alternative description of < , let it!eZ(Proc) be the set of all binary 
relations over Proc; this is a complete lattice under set inclusion. Now define 

F : Rel{PTOc) i?e/(Proc) 

F{R) = I Va e Act. 

• p A p' =^ 3q'. qA-q'k p'Rq' 

• pi qik[q^q' =^ 3p' . p ^ p' k p' Rq']} . 

Clearly, i? is a prebisimulation iff i? C F{R), i.e. i? is a pre- fixed point of 
F. Since F is monotone, by Tarski's Theorem it has a maximal fixpoint, 
given by IJ{-^ I — -^(-R)}) i-^- Thus is itself a prebisimulation, 

and evidently the largest one. Moreover, it is reflexive and transitive; the 
corresponding equivalence is denoted 

We can also describe more explicitly, in terms of iterations of F. We 
define relations {a G Ord) (the class of ordinals), by the following ordinal 
recursion: 

• p<og always (i.e. <q = Proc x Proc, the top element in the lattice 
i?e/(Proc)). 

• P^a+iQ iff 

Va e Act. 

.pi =^ qik[q^q' ^ 3p'.p^p'kp'<J]. 

(i.e. <«+i = F(<J). 

• For limit A, p<^q iff Va < A.p<,g (i.e. = na<A ^a)- 

This sequence of relations is decreasing, and bounded below by i.e. 
for all a 

For any (small) transition system the sequence is eventually stationary; for 
some A, for all a > A, <^ = <y The least ordinal A for which this holds is 
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called the closure ordinal |Mos74j : and we have = Note that each 
is relexive and transitive. 

The relations <^ and ~^ have been defined in the context of a given 
transition system. However, we frequently want to use them to compare 
processes from different transition systems. This is easily accomplished by 
forming the disjoint union of the two systems, and then using as defined 
above. In the sequel, we will do this without further comment. 

We now introduce a program logic due to Hennessy and Milner |HM85j . 
The idea is to obtain a characterisation of in terms of a suitable notion 
of property of process; p^^q iff every property satisfied by p is satisfied by q. 

Definition 5.2.3 Given a set of actions Act, the language HMLoo(Act) (we 
henceforth elide the parameter Act) is defined by the following inductive 
clauses: 

a e Act, e HMLoo 
[a]0, <a>0 e HMLoo 

e hmLqo {i e I) 

In particular, we write: 
t = 

We use the subscript oo to indicate the presence of infinite conjunctions and 
disjunctions. We write HML^^ for the sublanguage obtained by restricting 
the formation rules to finite conjunctions and disjunctions. 
We now define a satisfaction relation |= C Proc x HMLoo- 

P 1= ^ieI 
P 1= Vie/ 
p 1= <a>(j) 

P h 
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= \/i e l.p \= (pi 

= 3i e I.p\= (pi 

= 3g. p A g & g 1= 

= Vg. p -% q =^ q |= (p. 



We write 

HMLoo(p) = {0 G HMLoo : p h 0} 

plus obvious variations on this notation. 

We define two useful assignments of ordinals to formulas in HMLqo, the 
modal depth: 

md(/\.g^(/)i) = md(Vje/</>i) = sup{md(</)i) : i G /} 
md([a]0) = md(<a>0) = md(0) + 1 

and the height 

ht(A^6/0i) = ht(V,e7 0^) = sup{ht(0,) : z G /} + 1 
ht([a]0) = ht(<a>0) = ht(0) + 1. 

We define sort(</)) to be the set of action symbols which occur in cj). 
Now given a set A C Act and an ordinal A, we define a sublanguage of 
HMLoo: 

HML^^'^) = {0 G HMLoo : sort(0) C A & md(0) < A}. 

We are now ready to prove a generalised and strengthened version of the 
Modal Characterisation Theorem |Mil81[ IMil85[ IHM85] . 

Theorem 5.2.4 (Modal Characterisation Theorem) Suppose that A C 
Act satisfies 

sort(p) U sort(g) C A ^ 0; 

then 

P<xq ^ HML(^'^)(p)CHML(^'^)(g). 
As an immediate consequence we obtain 
p<''q ^ HMLoo (p) C HMLoo (g). 
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Proof. The left-to-right implication is proved by induction on A. The cases 
for A = 0, A a limit ordinal are trivial. For A = a + 1, we argue by induction 
on ht(0). The cases for Aie/*^«' Vig/'/'j trivial. Suppose p \= <a>(j). 
Then for some p\ p p' and p |= 0. Since p'^xl^ some g', q q' and 
p'<„g'. By the outer induction hypothesis, q' \= 0, hence q \= <a>(f), as 
required. The case for [a\(f) is similar. 

For the converse, we argue by induction on A. Suppose p%x^'- we must 
find G HML(^'^)(j9) - HML(^'^)(g). 

Case 1: p p' and for all q', q q' implies p'^^^' for some a < A. By in- 
duction hypothesis, for each such q' there is G HML(^'")(j9') -HML(^'")(g')- 
Now take 

= <a> /\{(f)q> : q A q'}. 
Case 2: pi- and pf. Take = [ajt, for any a & A. 

Case 3: pj,, g — )■ g', and for all p', p ^ p' implies p'^^^^' for some a < A. 
Defining 0p/ analogously to Case 1, 

= [a] \J{<f)p> : p A p'}. I 

The reader familiar with infinitary logic will recognise the strong similarity 
between this result and Karp's Theorem [Bar75j . Similar remarks apply to 
"Master Formula Theorems" as in |Rou85] , vis a vis the Scott Isomorphism 
Theorem [Bar 75] . 

Note that, if A is a finite set and A a finite ordinal, then (up to logical 
equivalence) HML^''*''' is finite. It follows easily from this observation that 
each formula in HML^'^-* is equivalent to one in HML^f'^). Hence as a 
Corollary to the Characterisation Theorem we obtain 



Theorem 5.2.5 ^ Abr87b^ If the transition system is sort-finite, then 



P<.q ^ HML^(p) C HML,(g). 
Moreover, we have the following result from [HM85] : 
Theorem 5.2.6 If the transition system is image-finite, then 



N P<^q ^ HML^(p) C HML,(g). 
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Unfortunately, if unguarded recursion is allowed in any of the standard 
concurrent calculi (SCCS, CCS, CSP, etc.) they are neither image-finite nor 
sort-finite (though sort-finiteness may be regained e.g. for CCS by imposing 
fairly mild restrictions on the relabelling operators). Thus these two Theo- 
rems cannot be applied. To see how weak finitary Hennessy-Milner logic is 
when the set of actions is finite, consider the following 
Example. 



where we assume bm 7^ &n for m ^ n. Now p%2^i ^® have 

Proposition 5.2.7 HML^(p) C HML^(g). 

In order to prove this Proposition we need a lemma. 

Lemma 5.2.8 Every formula in HML|^(0) is satisfied by cofinitely many of 
the bnO. 

Proof. By induction on formulas in HML(^(0). For conjunctions and dis- 
junctions, the intersection and union of finitely many cofinite sets are cofinite. 
(It is the case for conjunction which necessitates the strength of statement 
of the Lemma). The case for <6>0 is vacuous. For cofinitely many (in 
fact, all but at most one) of the 6„0 do not have a 6-action, hence satisfy 



The Proposition can now be proved by induction on formulas in HML;^. 
The only non-trivial case is <a>0, which follows from the Lemma. 

The deficiency of Hennessy-Milner logic illustrated by this example is 
disturbing, because processes generated by a finitary calculus (including p 
and q above) should be adequately modelled by a finitary semantics and 
logic. This suggests that Hennessy-Milner logic is not quite right as it stands. 



P = 



aO + n 
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5.3 A Domain Equation for Synchronisation 
Trees 

In this section, we shall define a domain of synchronisation trees, and estab- 
lish some of its basic properties. Since our definitions will use the Plotkin 
powerdomain, we need to work in a category which is closed under this con- 
struction. This means that we cannot use SDom, as we did in the previous 
two Chapters. Instead, we will use SFP. The only facts about SFP which 
we will need are that it is a category of algebraic domains closed under the 
following type constructions: 

Separated Sum 

Let yl be a countable set, and {Da}a£A an A-indexed family of domains. Then 
X^aeA is formed by taking the disjoint union of the Da and adjoining a 
bottom element. We shall write elements of the disjoint union as <a, d> 
{a e A, d e Da). Note that the ordering is defined so that 

<a, d> □ <a', d'> <(=^ a ^ a' k d d'- 

• For each a E A, the function 

Da^J2^- 

aeA 

d !->■ <a, d> 

is continuous. 

• Separated sum is functorial; given a family 

fa-.Da^Ea (oGA), 
a€A aeA aeA 

is defined by: 
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The Plotkin Powerdomain 

We write P[D] for the Plotkin powerdomain over D. Although this construc- 
tion is best characterised abstractly, as in |HP79] . for purposes of comparison 
with more concrete operational notions a good representation is invaluable. 
This is provided in |Plo76t IPI08I] . 

Definition 5.3.1 For an algebraic domain D the Lawson topology on D is 
generated by the sub-basic sets 

16, D-^b 

for finite h E D (so the Lawson topology refines the Scott topology). We will 
write the closure operator associated with the Lawson topology as CI. (NB: 
in |Plo76] . the Lawson topology is called the Cantor topology). 

Definition 5.3.2 For X C D, 

(i) Con{X) = {d : 3di, ^2 € X □ d □ da} 
(ii) X* = Con o CI. 

X is said to be 

• Lawson- closed if X = CI X 

• Convex-closed if X = Con X 

• ClosedifX = X\ 

Definition 5.3.3 The Egli-Milner order. For X,Y C D: 

X ^EM Y = \/x EX.3y EY.xHyk^y eY.3x eX.xHy. 

The representation of the Plotkin powerdomain can now be defined as 
follows: 

P[D] = ({XCD:X^0,X = X^},Csm). 

There are also a number of (continuous) operations associated with the 
Plotkin powerdomain, which we shall describe in terms of our representation 
of P[D]. 
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• Firstly, P is functorial: given f D ^ E, 

Pf : P[D] ^ P[E] 
is defined by 

Pf(x) = {f{x)\xex}\ 

• Singleton: 

U--D^P[D] 
is defined by 

m ^ {dr-{d}. 

• Union: 

W : P[D]'^ P[D] 
is defined by 

XWF = (XWF)* = Con(XUF). 

• Big Union: 

l+l : P[P[D]] ^ P[L>] 
is defined by 

1+1(6) ^ (Uer = Con(U©)- 
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• Tensor Product [HP79j . We will only need the following: given 
/ : ^ D 

the multilinear extension 

f P[DY P[D] 
is defined by 

f\Xi,...,Xn) = {f{Xi,...,Xn) -.XieXiY. 

(Note that for n = 1, = Pf.) This extension has the property 

/t(Xi,...,x,wx;,...,x„) = /t(Xi,...,x„...,x„) 

w/t(Xi,...,x:,...,x„) 

for {1 < i < n). 
Adjoining the empty set 

To the best of my knowledge, the only significant precursor of our work in 
this Chapter is |MM79] . The main reason that something like our present 
programme could not have been carried through in their framework is that, 
because of a technical problem, they used the Smyth rather than the Plotkin 
powerdomain. This rules out any hope of gaining a correspondence with 
bisimulation. The technical problem is that of adjoining the empty set to the 
powerdomain to model the convergent process with no actions (NIL in CCS 
piISO] . O in sees pil83] . STOP in CSP |Hoa85j . S in ACP jBK84] . etc.). 
If we add the empty set to our representation of P[D], it is not related to 
anything except itself under ^em] in category-theoretic terms, the problem 
is the non-existence of a certain free construction ( |Plo81] ). Fortunately, we 
do not need these non-existent solutions. We shall adjoin the empty set to 
the Plotkin powerdomain in a way which has two advantages: 

1. There is no theoretical overhead, since it is definable as a derived op- 
eration from standard type constructions. 



115 



2. It works, i.e. is exactly suited to our semantic purposes, as the results 
to follow will show. 

For motivation, consider a transition system (Proc, Act, — >, t) and pro- 
cesses p, r e Proc such that 

{ii) p r . 
Then it is easy to see that, for all q e Proc: 
(i) r<^q <^ r ~^ g 
{ii) q<^r <S=^ q ^ 

q p or q r. 
This suggests the following 

Definition 5.3.4 P^[D], the Plotkin powerdomain with empty set. 
Representation of P^[D]: 

Elements {X C D : X ^ X*} ^ P[D] U {0}. 
Ordering X = X = {±} or X ^em Y. 

Observation 5.3.5 P^[D] ^ {1)±®P[D]. 

In principle, we could work throughout with 3.5 as the definition of P'^fZ)] ; 
in practice, it is much more convenient to work with the representation given 
by 3.4. This requires that we extend our definitions of the powerdomain 
operations to work on P^[D]. In fact, all of the definitions following 3.3 still 
make sense for P^[D]. It is easily checked that l±l, [+J and {| ■ |} are continuous 
on P^[D] . For P^f and p a technical point arises, which is not specific to 3.4, 
but stems from the use of coalesced sum in 3.5. As is well known, coalesced 
sum is functorial only on the category of strict functions. Hence we can only 
use P°/ if / is strict, and if / is strict in each argument separately. With 
these provisos, the extended operations are continuous. 

Notation. We use to denote the empty set in P°[-D]; if / is a finite 
index set, we write 




iei 
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meaning the iterated use of l±l (which is associative, commutative and idem- 
potent on P^[D], just as it is on -P[-D]) if / 7^ 0, and otherwise. Also, we 
write 

where d G D and A is some sentence, meaning {|(i|} if A is true, and 
otherwise. 

We are now ready for the main definition of the section. 

Definition 5.3.6 Let Act be a countable set of actions. Then D(Act), the 
domain of synchronisation trees over Act (we henceforth omit the parameter 
Act), is defined to be the initial solution of the domain equation 

V = P^lY^ V]. (5.2) 

a 6 Act 

Here the sum XlaeAct ^ "copower" of Act copies of V. The equation 

is essentially that of |MM79j . minus the value passing and with a different 
power domain. 

How can we relate this domain equation to the formalism of Chapter 4? 
Suppose we extend the metalanguage of types introduced there with a con- 
structor Pp{-) for the Plotkin powerdomain. Then we can write 

V = rect.(l)x ©Pp[^ t] 

aeAct 

using 3.5 to eliminate P°. This is not yet a valid type expression because of 
the sum 

E t (5.3) 

aeAct 

Let us take the main case of interest, where Act is countably infinite, say 
Act = {anjngw Then we can replace [531 by the recursive expression 

recu.{t)±®u (5.4) 

yielding the overall expression 

V = rect.{l)±® Pp[recu.{t)±®u] (5.5) 
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the intention being that the i'th summand as we unfold 15.41 corresponds to 
tti E Act. 

The reader will by now probably appreciate our efforts to streamline the 
presentation. Nevertheless, we regard the "closed form" expression 15.51 as 
fundamental, and the logic we shall introduce in the next section could be 
derived mechanically from it in the manner detailed in Chapter 4. 

In the remainder of this section, we shall apply some standard domain- 
theoretic methods to elucidate the structure of V. 

Notation. We write _L for the bottom element of XlaeAct -^i {l-Ll} is then 
the bottom element of -P°EaGAct bi- 
llow can we unpack the structure of V from the domain equation 15.21 .'' 
This is best done in two parts: 

1. A specified isomorphism pair 



In fact, we shall elide rj and 6, and treat |5^ as an identity; this is only 
a notational convenience, and the reader can put 1] and 6 back without 
encountering any difficulties. 

2. Initiality. The categorical framework is clumsy to work with for our 
purposes. Instead, we will use an "intrinsic" (or in the terminology of 
[SPH2] a "local" or "O-notion") formulation. 

Definition 5.3.7 We define a sequence of functions 
as follows: 

TTo = Axel?.{|±|} 

TTfe+i = P°EaeAct^fc- 

Note that XlaeAct always produces a strict function, so this is well-defined. 
Now the following proposition is standard ( |Plo81t Chapter 5 Theorem 



rj 




aeAct 



e 



3]): 
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Proposition 5.3.8 V is the "internal colimit" of the Tr^; 



(i) Each Ilk is continuous and tt^ C tt^+i 

(Hi) TTfe O TTfe = TTfe 



In particular, we will use part {iv) of this Proposition as the cutting edge of 
initiality. 

Next, it will be useful to have an explicit description of the finite elements 
of V, which, as already noted, is in SFP, and hence algebraic. 

Definition 5.3.9 K{V) C D is defined inductively as follows: 

• e K{V) 

. {|±|} G K{V) 

• a e Act, (i e (P) ^ ^<a,d>\i e K{V) 

• di, d2 e K{V) =^ di w ^2 e K{V). 
The following is again standard: 

Proposition 5.3.10 K{T>) is exactly the set of finite elements ofV. 
Finally, we consider "D as a transition system {V, Act, — ^, t) defined by: 

• dA-d' = <a, d'> e d 

• = ±ed. 

Proposition 5.3.11 V is "internally fully abstract", i.e. 

Vdi, d2 eV . di<^d2 <(=^ di □ ^2- 
Proof. We shall prove 

(1) yk. di<^d2 TTfedi □ 7rfcd2 
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and 



(2) ^ C <^. 
Clearly (1) implies 

(3) C □ 

by I5.3.8( if). and since 

(4) <^ C < , 

we obtain = ^, as required. 

(1). By induction on k. The basis is trivial. For the inductive step, assume 
(i^fc+iC. Now (i = and d<i^^^e implies e = 0, while d = {|J-|} implies c? C e, 
so we may assume 7^ 7^ e, and it suffices to prove d ^em e. 
From the definitions we have Tik+id = X*, where 

X = {<a, nkd'> : <a, d'> e d} U {± : ± E d}, 

and similarly TCk+ie = Y*. Now 

<a, 7rkd'> e X 
d^d' 

3e'. e A e' & d'<j^e' 

3e'. <a, e'> G e & Tr^rf' □ Ti^e' by induction hypothesis 
3<a, TTke'> G F. <a, TTkd'> C <a, TTke'>. 

± ^ 

± ^ e & [e A e' ^ 3rf'. d ^ d' k d'<^e'] 
± ^ F & V<a, 7rfce'> G F. 3<a, 7rfc(i'> G X. rckd' □ VTfce' 

by the induction hypothesis again, and we have shown X ^em Y, which 
implies X* ^em Y*, as required. 




120 



(2). It suffices to sliow tliat □ is a prebisimulation. Tfiis is a simple calcula- 
tion: 

• d ^ e 

=^ V<a, d'> G d. 3<a, e'> e e. rf' C e' 

&±^(i ^ ±^e & [V<a, e'> e e. 3<a, (i'> ed.d'Q e'] 
^ Va e Act. d^d' ^ 3e'. e A e' & □ e' 

& ^ ei & [e A e' ^ 3d'. d^d'kd'Qe']. I 

We finish with some examples to illustrate the richness of P as a transition 
system. 

Examples 

(1) . V is not sort-finite. 

do ^ {|<ao,-fl±|}>|} 

= {|<ao,-fl<ai,-fl±[^>|}>|} 

sort(|j4) = {ao,ai,...} 

(2) . V is not weakly image- finite. 

Cfc = ^ a'Q + a'^Q (A; e 

i<fc 
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5.4 A Domain Logic for Transition Systems 



We now introduce our domain logic in an infintary version Coo-, with a finitary 
subset Cij. We show how £00 can be interpreted in any transition system, 
present a proof system, and estabhsh its soundness. We then turn to C^^ , 
and prove the main result of the section: C^i is the Stone dual of V. That 
is, V is isomorphic to the spectral space of C^^^ while C^j is isomorphic to 
the lattice of compact-open subsets of V. This duality will be crucial to our 
work in the next section. 

Definition 5.4.1 The language has two sorts: vr (process) and k (capa- 
bility). We write Coo% {^ook) for the class of formulae of sort tt (k), which 
are defined inductively as follows: 



{a e {7r,K}) 



^ {(f)i e Cooa}ieI 

y <Pi, Aiei (l^t e Coo 
a e Act, G CooTT 

a{(j)) e Cook 

□0, 00 e Coon' 

Notation. We write t = f = 

The sublanguage of C^o obtained by the restriction to finite conjunctions 
and disjunctions is denoted C^j . Height, modal depth and sort are defined 
for C in entirely analogous fashion to HML. For example: 

• 'T'd(Aig7 0i) = nnd(Ajg/0i) = sup {nnd(0i : i e /} 

• md(a(0)) = md(0) 

• nnd(n0) = md(O0) = tnd(0) -|- 1. 

For each A C Act and ordinal A: 

= {0 e £00 : sort(0) C A & md(0) < A}. 

It should be clear how the form of our language is derived from the type 
expression 

reci.P°[ J] t]. 
oeAct 
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The two-sorted structure of £ corresponds to the type constructions P° (vr) 
and XlaeAct ('^)- '^^^ recursion in the type expression is mirrored by the 
mutual recursion between the two sorts. Note that the Plotkin powerdomain 
is built from the combination of the must modality □ of the Smyth power- 
domain and the may modality O of the Hoare powerdomain (c/. |Abr83a 
IWin83] l 

Interpretation of jC in transition systems 

Given a transition system (Proc, Act, — )■, t), we define 

Cap = {-L} U (Act X Proc) 

C : Proc p(Cap) 

C{p) = {± : pt} U {<a, q>:p^ q}. 
C{p) is the set of capabilities of p. We can now define satisfaction relations 

|=7r ^ Proc X C-00-K1 

^ Proc X £ooK : 
For a G {vr, k}: 



w 


l=- Aiei 


= Wi e I.w \=„ (pi 


w 


\=a Vie/ 


= 3i e l.w 4>i 


p 




= VceC(p).cK0 


p 




= 3c e C(j9) U {±}.c 1= 


c 




= c = <a, q> q \=T, (p. 



The assertions over £ have the form 

The satisfaction relation between transition systems and assertions is defined 
by: 

T 1= <a ^ = "^W e Sa-W (P =^ W^ai^ 
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(cr e {tt, k}, — Proc, — Cap). 
This is extended to a class of transition systems C by: 

If C is the class of all transition systems, we simply write |= A. 

A Proof System For £00 

Firstly, we define a predicate on jC^^, '■ 

0(0)4. = true 

(□0); ^ 01 

(O0); = cPi. 

Intuitively, 04, means that at least the completely undefined process does not 
satisfy (i.e. (f) ^ t). We will use it to restrict one of our axiom schemes. 

We now present a proof system for assertions over . Sort subscripts 
are omitted. 

Logical Axioms 

Exactly as in Chapter 4, except that the restriction to finite index sets on 
conjunctions and disjunctions is lifted. 

Modal Axioms 

< ^ 



(«-<) 



a(0) < a(V') 

{a-A){i) a{/\<j>i) ^ /\a{cf>,) (7^0) 
iei iei 

(a-A)(n) a(0)A6(V') = / {a ^ b) 
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(a-V) a(\J <Pi) = \J a{<i)i) 
(□_<) ^ - ^ 

(□-A) □/\0, = /\n0, 

(/> < ^ 

(O-V) 0\/<f), = \j0<j), 
(□-V) n{(f) y tp) < Bcf) y Oi/j 

(O-A) a(f) AO^jj <0{(f) A^jj) {^pD 
(O - t) ot = t. 

The form of our axiomatisation follows the same pattern as that of Chap- 
ter 4, of (the general approach exemplified by) which it is of course a special 
case. The first group of axioms and rules give the logical structure of en- 
tailment, conjunction and disjunction. They give (the Lindenbaum algebra 
of) £00 the structure of a (large) completely distributive lattice |Joh82] . We 
then articulate the modal structure by showing how the constructors interact 
with the logical structure. The axioms for the a(-) constructor correspond 
to those for coalesced sum given in Chapter 4; the fact that separated sum is 
intended here is reflected by the side-condition on (a — A){i). The axioms for 
□ and O individually correspond to those presented for the upper and lower 
powerdomains in Chapter 4; however, these two modalities interact in the 
Plotkin powerdomain, resulting in its greater complexity; these interactions 
are expressed in logical terms by (□ — V) and (O — A). Our surgery on the 
ordering to keep a least element while adding the empty set is reflected by 
the presence of (O — t) and the side condition on (O — A). 

We write C\- A or just h A if an assertion A is derivable from the above 
rules and axioms. It will be convenient to have equational versions of (□ — V) 
and (O — a), which can be obtained as theorems of C : 

(Dl) h □(0V^) = D^V (□(</) V^/-) A O^) 

(D2) h AO^ = AO(0A^/') (ipi). 
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We now turn to the question of soundness for our system. As a first step, 
we show that our auxihary predicate ()| works as intended. 

Proposition 5.4.2 (i) E Cook- 4>\- -L -^^k 0- 

(ll) V0 e Coon- H ^ P ^ Cip) ^ {^}- 

Proof. We prove (i) and (ii) simultaneously by induction on (p. We consider 
the two non-trivial cases: 

□0: Assume = 0i, and p \=t, □(/). C{p) = {!.} would then imply 

_L |=K 0, but this is impossible by the induction hypothesis. For the converse, 
suppose (□0)t, i-e. 0t- Then by induction hypothesis, ± !=« 0, and hence 

n K °0 with c{n) = {±}. 

O0: Assume 0J, and p |=^ O0. Then ± i^^ 0, and so there must be c G 
C{p) — {_L} with c |=K 0. The converse is proved by the same argument as 
for 00. I 

Theorem 5.4.3 (Soundness of C) h A ^ \= A. 

Proof. By a routine induction over proofs. For illustration, we consider 
(O — A). Assume ipi and p \=n 00 A Oip. Then p \=.„ Oip, and so by 15.4.21 
C{p) 7^ {±} and ± i^^ "0, and there must be c G C{p) — {!.} such that 
c |=K -0. But then p 00 implies that c 1=^ 0, and so p O(0 A -0) as 
required. I 

We now turn to the finitary logic C^j. Henceforth we assume that Act is 
countable. It is then clear that C^o can be made into a countable set by a 
suitable choice of canonical representatives of logical equivalence classes. 

Recall that Spec C^j is the set of prime filters over Cujn, i-e. subsets 
X C Cujn satisfying 

• 0Ga;&l-0<'0 =^ ip E X 

• t ex 

• (j),ip e X =^ (f) Alp Ex 

• f 

• 0V-0Ga; =^ 0Gxor-0Ga;. 

Spec C^ is topologised by taking as basic opens 
= {x e Spec £^ : G x} (0 G 
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or, equivalently in our context, by taking the Scott topology over the spe- 
ciahsation order on Spec L^^ which is simply set inclusion. 

Our aim is to prove the following fundamental result, which ahows that 
the logic does indeed correspond exactly to the domain T) : 

Theorem 5.4.4 (Stone Duality) V and C^j are Stone duals, i.e. 

{{) V = Spec£^ 
(n) KQ{V ) = {C^^/=^,<^/=^). 

Here KQ{D) is the lattice of compact-open subsets of V, while 

is the Lindebaum algebra of C^i- Since V is coherent, (i) and (ii) are indeed 
equivalent ( |Joh82] ). 

The Stone Duality Theorem is entirely analogous to Theorem I4.2.5[ and 
our proof strategy is identical. However, some of the technical details are 
more complex; in particular, the syntactic identification of primes is less 
obvious than for Scott domains, since primes are no longer preserved under 
meets. 

We begin by defining a normal form for 

Definition 5.4.5 (i) is in strong disjunctive normal form (SDNF) if it has 
the form \/^^j4>i, where each 0j is in prime normal form (PNF). 
(ii) is in PNF if it has one of the forms 

• Oai{(j)i), where each 0j is in PNF. 

1. Each (pi and ipj is in PNF. 

2. Vi G /. 3j G J. h bji'ipj) < aii^i). 

3. Vj e J.3iel. h bjiipj) < a,{(j)i). 

We call (2) and (3) the convexity conditions (note the resemblance to the 
Egli-Milner ordering). 

The combinatorics are concentrated in the following 
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Theorem 5.4.6 (SDNF) For every G C^^t^, there is (effectively) a ip in 
SDNF such that 

Proof. By induction on md(0). The idea is to form a sequence of "trans- 
formations" 

= 00 01 ^ ■ ■ ■ 0Ti 

such that 

(1) h0, = 0i+i {0<t<n) 

(2) md(0i+i) < md(0i) (0 < z < n) 

(3) 0„ is in SDNF. 

(Condition (2) is needed to keep the induction going.) To keep the notation 
bearable, we shaU omit indices in conjunctions and disjunctions, writing e.g. 

V{0}- 

Firstly, using the distributive lattice laws we can transform 0o into 

V{A{°A{Vw)}}} ^ MoMym)}}}} (5.6) 

Using (□ — a) in the outwards direction for each D-conjunct in 15.61 and the 
distributive law and then (O — V), followed by the distributive law again, in 
each O-conjunct, we otain 

\/{A{^\/{am} A /\{0/\{bm}} (5.7) 
Now for each non-empty conjunction 

A{°Vw)}} 

in 15.71 we can use (□ — A), the distributive law, and (a — A) (i) or (ii); 
similarly, inside each ^ /\{b{ip)} we can use (O — t) if the conjunction is 
empty, and otherwise (6 — A) (i) or (ii) (with further applications of {O — V) 
and the distributive laws as in the previous step if (6 — A)(m) is applicable), 
to obtain 

\J{e} (5.8) 
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where each 6 is in one of the forms 

/\{Obm (5.9) 

or 

ay {am A /\{obm (s.io) 

Since we have not increased modal depth in obtaining 15. 8[ we can apply the 
inductive hypothesis to each and to obtain V{V^'} with each 0' 

and '0' in PNF. Using (a — V), (O — V) and the distributive laws, we can thus 
obtain a formula of the same form as 15. 8[ in which each and ip in 15.91 and 
ISAOl is in PNF. 

At this point, our formula 15.81 can only fail to be in SDNF because of 
disjuncts 15. 101 which do not satisfy the convexity conditions 

• For each a(0), for some b{ip): h b{ilj) < a{(j)). 

• For each b{ilj), for some a(0): h 6('0) < a(0). 

Our strategy is to remove any failures of these two conditions, using 
our derived equations (-D1) and {D2) respectively. We begin with the first 
condition. We argue by induction on (m, n) in the lexicographic ordering on 
cu X CO, where: 

• m is the maximum number of a(0) occurring in one of the disjuncts 
15. 101 of our formula 15.81 such that there is no b{ip) with h b{ip) < a{(j)). 

• n is the number of disjuncts attaining this maximum. 

If m = 0, there is nothing to prove. Otherwise, choose such an a(0) in one 
of the maximal disjuncts. We can apply (-D1) to 

a\/{a'm V a(0) 

to obtain 

□ VVW} V [□(\/V(0O}Va(0))AOa(0)] (5.11) 

We can then use the distributive law to obtain a new formula of the form 15.81 
to which the inner induction hypothesis can be applied, since the first disjunct 
in 15.111 has jettisoned a(0), while the second disjunct evidently contains a 
Ob{ilj) such that h b{ilj) < a{(j)), namely a(0) itself. 
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The final stage is to remove failures of the second condition. We argue by 
induction in the same way as for the previous stage. Suppose we are given 
a b{ip) in 15.101 with no a(0) such that h blip) < a{(f)). Firstly, we note that 
ip'^ implies \- ip = t, which is easily proved by induction on ip. Hence if ip^, 
we can use (O — t) to eliminate the conjunct Ob{'ip). Otherwise, we can use 
{D2) to obtain 

ay {am A O[6(^)a\/W0)}] a /\{Ob\ij')} (5.12) 

Now we can use the distributive law inside the second main conjunct in l5.12t 
followed by (a — A), (O — V), and the distributive law again. In this way, the 
disjunct 15.121 of our main formula is replaced by the disjunction of all those 
formulae 

^V^^^*^)} ^ O6(0'A^) A /\{Ob'{ip')} (5.13) 

for a'(0') G {a(0)} with a' = b. For each such 0' A ip, "we can apply the outer 
induction hypothesis to obtain V{^'} with each 6' in PNF. Applying (6 — V), 
(O — V) and the distributive laws as before, we obtain disjuncts of the form 

°\/H<P)} a Ob{e') A f\{Ob'{tP')} (5.14) 

Since 

h e' < \/{e'} = 0' A < 0', 

we can apply the inner induction hypothesis to 15.141 This completes the 
process of transforming into SDNF. I 

We shall now prove that formulae in PNF denote primes in KQ{V). 

Proposition 5.4.7 For all in PNF there exsists k{(f)) G /C(P) such that: 

ydeV.d^cp ^ k{(f)) □ d. 

Proof. We define fc(0) (which must clearly be unique) by induction on 0: 

. A;(/\Oa,(0,)) = l+|{|<a„fc(0,)>|}W{|±|} 

iei iei 

• k{n\/ ai{(f),) A /\Obj{^j)) = 
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\^{\<a,,k{(f),)>\} W 1+){|<6„A;(^,)>|}. 

is/ jGJ 

We shall prove the proposition by induction on 0. Note that in the state- 
ment of the proposition, we are viewing "D as a transition system, according 
to 15.3.111 With our convention of eliding the isomorphisms between V and 
P'iEaeAct^ we have: d = C{d), (deV). 
Case 1: = Oai{(j)i). 

• d \= Oai{^i) 

<^=^ Vi G /. 3<aj, di> G d. di \= (pi 

<^=^ Vi G /. 3<aj, (ij> G c?. A;(0j) ^ c/j by induction hypothesis 
^ A;(0) □ rf. 

Case 2: = □ Vie/ A^gJ ^^j(^j)- Let $ = {ai(0i) : ? G /}U{6j(^j) : 
J e J}. 

m d^(f) 

<^=^ V<a, (i'> E d. 3i & I . a = ai ^ d' \= 0, 

k ^ ^ dkMj e J. ^<bj, dj> G d. rfj |= 

V<a, d'> G d. 3a{e) G rf' |= 9 

kL^dk Va(^) G 3<a, d'> G rf. h ^ 

by the convexity conditions and the Soundness Theorem, 
<^=^ k{(j)) □ (i, by induction hypothesis. I 

Theorem 5.4.8 (Prime Completeness) For all 0, 0' in PNF: 
V^(f)<(j)' =^ C^(l)<(l)'. 

Proof. By 4.7, 

V^(f)<(j)' k{(j)') □ k{(f)). 
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Suppose then that k{(f)') C k{(f)). We argue by induction on 0. There are a 
number of cases, according to the forms of and 0'. We consider the case 

0' = □ Y ai.(0iO A /\ ObjiiPj,). 
i'er j'eJ' 

^ yf G J'. 3] G J. bj = bj> & A;(V^jv) □ kiifjj) 

k^i e I. G ai = ai> k k{(f)i>) □ /c(0i), 

by the convexity conditions, Soundness, and 15.4.71 
^ Vj' G J'. 3j G J. h < 

& Vi G /. 3i' G h ai(0i) < ai'(0i'), 

by the induction hypothesis, 
=^ h < 0'. I 

We can now use the same arguments as in Chapter 3 T7 to prove 
Theorem 5.4.9 (Completeness) For all 0, ^ ^uj-' 

We now estabhsh a converse to 15.4.71 

Theorem 5.4.10 (Definability) For all d G K.{V), for some in PNF, 
k{(f)) = d. 

Proof. We define (f){d) by induction on the construction of d according 

to Km 

0(|+){|<a„rf,>|} W {|±|}) = /\Oa,(0(ci,)) 

iei iei 

0(|+|{|<a„d,>[}) = ay ai{(f){di)) A f\Oa,{(f){di)). 
iei iei iei 
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Note in particular that 0(0) = □/. It is easily verified that (f){d) is in PNF 
and that k{(j){d)) = rf. I 

The Duahty Theorem is an immediate consequence of Soundness, Com- 
pleteness and Definability, just as in Chapter 3 T8. 

Combining Soundness and Completeness we obtain 

Theorem 5.4.11 (Completeness for C^J) LetC be any class of transition 
systems containing V. Then for (p^ip E C^^: 
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5.5 Applications of the Domain Logic 

We shall now use domain logic to study bisimulation. Our results in this 
section can be grouped under four main headings: 

1. Comparisons with Hennessy-Milner logic 

2. Characterisation Theorems 

3. Finitary Transition Systems 

4. Universal Semantics 

Of these, (1) and (2) will confirm the appropriateness of our definitions, while 
(3) and (4) will represent a distinctive payoff for our approach. 

Comparison with Hennessy-Milner logic 

We begin with some technicalities on normal forms. 

Definition 5.5.1 We define a class of normal forms NCoo ^ ^^oott inductively 
as follows: 

• 

G N£oo , a e Act 
Oa{<P) e NCoo 

{(f)i e N£oo}jgj, {uj e Actjia {i^ 3 =^ 7^ 
n Vie/ «i(<^0 e N£oo 

Lemma 5.5.2 (Normal Forms) For all 4> G Coon, for some ip G Ni2oo-' 

Proof. By induction on md(0). We consider the two non-trivial cases. 
O0: In this case, using the distributive lattice laws there is (f)' of the form 

V A % 
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such that h = 0', and md(0') < md(0). By the induction hypothesis, for 
each (pij there is 0^^- G N£oo such that h 0jj = (f)[j. Using (a — <) and (O — <), 
we have 



iei j&Ji 

Now for each i & I, there are three cases: 

1. Jj = 0. In this case, h O0 = Ot, and we can use (O — t ) to obtain a 
normal form. 

2. 3ji, 72 € «ii 7^ Ojj. In this case, we can use (a — A) to delete the 
i'th disjunct in the RHS of 15.151 

3. {ttij : j G Ji} = {a}, for some a G Act. In this case, we can use 





(5.15) 




(a-A)(z). 
In this way, we obtain either 



h O0 = t, 
if case (1) is ever applicable, or 



hO0 = O Y a,.(^,0 (^,, gN£oo). 



i'ei' 

In the latter case, we can apply (O — V) to get a normal form. 
□0: Similarly to the previous case, we have 



h 00 = □ /\ Y aijicPij) (0i, G NiZoo). 



We can then use (□ — A) to get 



hn0 = /\n\/«.j(0..)- 




we have 



using the lattice laws; we can then apply (a — V) to get a normal form. I 
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Definition 5.5.3 We define translation functions 
(■)* : HMLoo — > N£oo , 
(■)^ : N£oo ^ HMLoo. 

(<a>0)* = Oa(0*) 

([a]0)* = □a((0)*) V VW) : &e Act-{a}}) 

iy.ei<i>^y = \J^^M^y 

(Oa(0))t = <a>(0)^ 

(□ V.e/«^(</'0)^ = A.6/N(0.)^ A A{[&]/ : 6 G Act - {a, : z G /}} 
Tlie following is easily verified. 
Proposition 5.5.4 For all (p G HMLoo, ^ e N£oo' 

{%) md(0) = md(0*) 

{a) m6{ip) = n\A{'4>'^) 

{iii) p \= (p P \= (p* 

{iv) p \= ip <^==^ p \= ip"^- 

As an immediate consequence of this Proposition together with I5.5.2[ we 
have 

Theorem 5.5.5 (Comparison Theorem (Infinitary Case)) For p,q G 

Proc in any transition system, A C Act and A G Ord; 

^ HML(^'^)(p)CHML(^'^)(g). 
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Thus in the infinitary case, £00 determines the same preorder on pro- 
cesses as HMLoo- However, when Act is infinite this does not cut down to 
a corresponding result for the finitary case, since our translation functions 
introduce infinite disjunctions in translating [a], and infinite conjunctions in 
translating □, even for finite formulas. Our general considerations on observ- 
ability in Chapter 2 suggest that the introduction of infinite conjunctions is 
more serious, and indicates a weakness of expressive power in HMLqo as an 
"observational logic". This is in keeping with our remarks at the end of 
Section 2. In fact, our translation functions suggest an appropriate way of 
extending HMLqo so as to render it equivalent to £aj- This will be the content 
of a second Comparison Theorem which we will prove later in this section, 
when we have some additional machinery at our disposal. 



Characterisation Theorems 

Combining the Comparison Theorem with the Modal Characterisation The- 
orem [5231 we have: 

Theorem 5.5.6 (Characterisation Theorem for £00) With notation as 
in the previous Theorem, 

and therefore 

P^^Q ^oo{p) ^ Coo{q). 

We now turn to the question of finding a Characterisation Theorem for 
C^. Intuitively, C^j represents finitely observable properties of processes, 
hence should correspond to the "finitely observable part" of bisimulation. If 
we accept the finite synchronisation trees ST^; as a suitable notion of finite 
process, we can use them to determine the algebraic part of the bisimulation 
preorder, in the sense e.g. of [GueSlj . 

Definition 5.5.7 The finitary preorder <^ is defined on any transition sys- 
tem by: 

p<^q ^ Vt G ST^. t<^p t<!'q. 
Our aim is to prove 
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Theorem 5.5.8 (Chciracterisation Theorem for C^) With notation as 
in the previous Theorem, 

We will need a few auxiliary results which also have some independent 
interest. 

Definition 5.5.9 The height of a synchronisation tree is defined by: 
ht(^ ttiti [+n]) = sup {ht(ti) : i e /} + 1 

Lemma 5.5.10 For any synchronisation tree T e ST^, ht(T) < A implies 

Proof. The left-to-right implication is immediate; the converse is an easy 
induction on ht(T). I 

In particular, we see that for a finite synchronisation tree t e ST^^, 
t'^^P ^^wP- Thus we have the inclusions 

<^ C < C <^ 
In general, these inclusions are strict. 

Examples 

(1) <^ ^ < . 

Then p<^q, but pt^+^q. 

(2) < ^ <-^. 

p = aQ2bnO + n)+n 

q = ^ a( bnO + n) + Q 

neoj meu>-{n} 

Then p<^q, but p^^Q- 

These examples gain in significance because all the processes involved can 
be defined in finitary calculi, in particular SCCS, as we shall see in the next 
section. 
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Lemma 5.5.11 (Sort Lemma) In any transition system, let p,q G Proc, 
sort(p) C A C Act, A G Ord. Then 

Proof. By induction on A. We assume p%x^i and must construct cj) G 
^C^'^Hp) - ^C^'^H^)- There are three cases. 

(1) p —f p' and for all g', q—fc( implies p'^^g' for some a < A. By induction 
hypothesis, for each such q there is 0g/ G — Now define 

(2) pi and gt- Let = □ \j{a{t) : 3p'.p A p'}. 

(3) g A g', and for all p', p p' implies p'^^^q' for some a < A. 
Define (ppi similarly to case (1). Then we define 

= {a{(Pp.) : p ^ p'} V \J{h{t):h^ak^r.p^r}). I 

Note that this result is stronger than the Modal Characterisation Theo- 
rem [523] for Hennessy-Milner logic, since we only require sort(p) C A. This 
is significant in the light of the example at the end of Section 2. 

Proposition 5.5.12 For all t G ST^^.- 

Proof. Combining 15.5.101 and IS.S.TTl we see that 

where A = sort(t) and k = ht(t). Since A and k are both finite, d^^'^^ is finite 
up to logical equivalence (i.e. the Lindenbaum algenbra is finite). Thus each 
formula in C^^'^^ is equivalent to one in C^, and the proposition is proved. I 
We need one more auxiliary result, which will in fact be a consequence of 
our work on SCCS in the next section. Firstly, we define a map from prime 
normal forms to finite synchronisation trees 

St : PNF ^ ST^ 

as follows: 

st(nV.6/«i(0^) A A,ej^^j(^^)) = E.e/«*st(0,) + E,^^6,st(^,). 
Now analogously to 15.4.71 we have 
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Proposition 5.5.13 For all in PNF, and p G Proc in any transition 
system: 

P 1= St(0)<-^p. 

The proof is entirely analogous to I5.4.7[ 

We can now prove Firstly, C^{p) C implies p^^q, by 15.5.121 

For the converse, assume p^^q and p \= (p, {(p E ). By the SDNF 
Theorem I5.4.6[ 

(0, e PNF) 

q 
I 

Finitary Transition Systems 

We now embark on our next topic. The various finiteness conditions on 
transition systems defined in section 2 refiect attempts to capture features of 
finitary processes. Nowever, none of these conditions seems to capture exactly 
the right class of systems unless we make some unwelcome assumptions such 
as that the set of actions is finite. We shall adopt what seems to be a novel 
approach, of using our program logic to axiomatize a class of systems which 
we propose as the finitary ones. Our axiomatisation consists of two schemes 
over £oo- 

Notation. Fin(/) is the set of finite subsets of /. 

• The axiom scheme of bounded non-determinacy: 

(BN) □\/0.< V ° V<^^- 
iel JeFin(/) ieJ 

• The axiom scheme of finite approximahility: 

(FA) f\ <O/\0, (0.6/:.). 

JgFin(/) jeJ i£l 



• ^0 = V.e/' 



3i E I.p 1= 
sti<t>i)<''q 

q\=(pi 

q\=(f). 
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Note that these axioms are duals. Since the opposite entailments are the- 
orems of £00, we shall in fact use (BN) and (FA) to denote the corresponding 
equations. The axioms could equivalently be formulated as: □ preserves di- 
rected joins, O preserves filtered meets. 

What are the intuitions behind these axioms? (BN) is (thinking of each 
process as the set of its capabilities and each (pi as an open set) exactly a 
statement of compactness; the link between compactness and the computa- 
tional notion of bounded non-determinacy is well-known from the literature 
on powerdomains |Plo81t |Smy83b| . 



The axiom of finite approximability is less familiar from either the topo- 
logical or the computer science literature. It is best understood as a logical 
(or localic) expression of the idea that only closed sets are taken as elements 
of a finitary powerdomain construction (or, better put, that from the point 
of view of finite observability we cannot distinguish between a set and its 
closure). The best way to get a more precise understanding is probably to 
read the proof of the next Theorem. 

The duality between the two axioms is reminiscent of the discussion of 
finite breadth (BN) and finite length (FA) limitations of testing in |Abr83a] . 

Definition 5.5.14 A transition system is finitary if it satisfies (all instances 
of) (BN) and (FA). The class of finitary transition systems is denoted FTS. 

As a first step, we shall give a substantive example of a finitary transition 
system. As we will see, it is actually the best possible example. 

Theorem 5.5.15 V is a finitary transition system. 

Proof. By the Duality Theorem 15. 4. 4^ we have a map 

I-l : C^n ^ K^{V) 

m^{dEV:d^ 0}. 
Now for deV, 

iai JGFin(/) jeJ 

is just the statement 

rfc|JO, =^ 3Jg Fin(/).rfC IJOj, 
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where Oj = i.e. that d is compact as a subset of ^^gAct^- Since 

d eV = -P°[X]aeAct elements of the Plotkin powerdomain are Scott- 

compact subsets of the base domain ( |Plo81] ). this proves that P satisfies 
(BN). 

Next we show that V satisfies (FA). Since there are only countably many 
distinct formulae in it suffices to prove the following: 

• Given a sequence {Un} of compact-open subsets of V, with f/„ ^ 
Un+i {n E u), and an element d E V such that d H Un ^ {n E u), 
then d n n„e. ^ 0. 

(The alternative case for d \= Un, namely _L G f/„ for all n, is trivial.) 

Since each Un is compact-open, it has the form t-Bn, where Bn is a finite 
subset of )C(V ). Also, i?„ C„ -Bn+i, where 

X ^uY = yy eY.Bx e X.x {X,Y CV). 

Now define 

Cn = {b e Bn --^x e d.b ^ x} [n e u). 

Since (i fl f/„, 7^ 0, C„ 7^ for all n. Also, C„ Thus by Konig's 

Lemma in the form given e.g. in [NivSlj . there is a sequence {c„} with 
Cn ^ Cn+1 and c„ G C„. Now define 

e„ = {|c„|}W{|±|} (neu). 

Clearly Cn ^ e„+i and e„ C ci for all n, whence |J e„ C rf. But |J c„ G 
y e„ (using the description of least upper bounds of chains in the Plotkin 
powerdomain given in |Plo76i Theorem 8]), and so for some x & d, \_\cn ^ x. 
Since |J c„ G f/„ for all n, dn HnGoj 7^ proof is complete. I 

We now draw some striking consequences from the finitary axioms. 

Definition 5.5.16 A formula (p ^ ^00 is in finitary normal form if it has 
the form 

A V ^^'^ ^ ^'^)- 

Lemma 5.5.17 For each G £00? for some finitary normal form ip: 
(BN) + (FA)^ (l) = '4). 
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Proof. An easy induction on ht(0). I 

Proposition 5.5.18 In any finitary transition system T, for allp, q G Proc; 

Proof. The left to right imphcation is immediate. For the converse, suppose 
CM ^ and p H 0, (0 e £00). ByEXm 

(BN) + (FA) h = /\V <p,, (0,, G 

hence since T h (BN) + (FA), T h = Aie/ Vjgj, ^^i' 

• P 1= Aie/ Vjg J, 0u 
^ Vi G /. 3j G Ji. p h 0jj 
Vi G /. 3j G Jj. g h 0ii 

^ gh0- ■ 

Theorem 5.5.19 (Finitary Characterisation Theorem) With notation 
as in the previous Proposition: 

P^^Q P^uj(l P^^Q CM ^ CM- 

Proof. Combine Theorems 15.5.61 |5X8] and [5! 5 . 1 81 I 

In order to continue our study of finitary transition systems, we need to 
introduce some notions from our final topic of this section. 

Universal Semantics 

Given any transition system and p G Proc, it is easy to see that Cuj{p) C £^ 
satisfies the axioms of a prime filter; hence we have a map 

CM '■ Proc — > Spec C^ . 

If we compose this with the isomorphism Spec C^^ = V from the Duality 
Theorem 15.4.41 we get a map 

I-] : Proc — > V 
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which takes each process to an element of our domain. This map can be 
regarded as a syntax-free denotational semantics; it is universal since it is 
defined on every transition system. 

Theorem 5.5.20 (Universal Semantics) For any transition system T with 
p,q & Proc.- 

(ii) 

// T is finitary, then: 

{Hi) p<^q <^ IpI C |g] 
(iv) p ~^ Ip}. 

Proof. Clearly (i) follows from (ii), and (iii) from (iv). Now C^aip) = 
C^dp}); and so (ii) follows from 15. 5.^ while (iv) follows from 15. 5. I 

We can think of 15. 5. 20] as a full abstraction theorem |Mil75t IPlo77t IMil77] 
for our semantics; it says that every transition system (finitary transition 
system) can be embedded in V with as much identification as possible modulo 
the finitary equivalence (bisimulation). 

Since V can itself be viewed as a transition system, we can tie things 
up even more neatly. Let TS be the category with objects the transition 
systems, and morphisms 7i — )■ 72 maps 

/ : Proci — 7- Proc2 

for which 

C^{p)=CMip)) (peProci). 
It is clear that for such / 

P^^Q f{p)^^f{(l), 
and if 7i and T2 are finitary, 

P^^Q f{p)^^f{(l)- 
Now we have 
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Theorem 5.5.21 (Final Algebra Theorem) V is final in TS, and also 
in the subcategory FTS of finitary transition systems. 

Proof. All we need to show is that the semantic map [■] is the unique 
morphism from a transition system to V. But for di, d2 G P, 

CM^CM ^ Knidi) c Kn{d2) hjEM 

<^==^ di C d2 since V is coherent, 

which gives uniqueness. I 

Finitary Transition Systems Resumed 

Firstly, some conditions equivalent to finitariness. 

Proposition 5.5.22 For any transition system T , the following conditions 
are equivalent: 

(i) T is finitary 
(a) Vp G Proc.p \p\ 

('^'^V = combined system T + T> (disjoint union). 

Proof, (i) =^ (ii) is 15.5.201 (iv): (ii) =^ {Hi) since D is finitary. 

(ii) =^ (i). Suppose that T is not finitary, in particular that (BN) fails; 

i.e. that for some p G Proc, 

and VJ G Fin(/).p]^ Mj^J^r ^^^^^ -^t^b) = -^^o^dpl), and each \Jj^j(j)j G 
C^, IpI ]^ \J j<zj4>j foi' all J G Fin(/); hence since \p\ G V and V is finitary, 
bl ° Midi 4>i- Thus CooiM) 7^ '^oo{p), and so bv 15.5.61 p The case 

when (FA) fails is similar. 

{Hi) =^ (ii). Suppose for some p, p {pj. Then since p |p] by 15.5.201 
(ii), <^ ^ ■ 

Note that in part (iii) of this Proposition we have "added in" V to the 
given transition system T. This is to overcome the problem that there may 
not be enough processes in T alone to cause <^ = <^ to fail. 

Now we relate some of the finitariness conditions of Section 2 to our 
axioms. 
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Proposition 5.5.23 (i) Weakly finite branching is equivalent to weakly im- 
age finite plus weakly initials finite, 
(a) Weakly finite branching implies (BN). 
(Hi) (BN) implies weakly initials finite, 
(iv) (BN) + (FA) do not imply weakly image finite. 

Proof, (i). Easy. 

(ii) . Suppose p\='Oi \J (pi. ( Vig/ 4>i)1' ^^i & I- 0jt, in which case h 0j = t, 
and the conclusion is trivial. Otherwise, pj,, and so C(p) is finite, say 

C{p) = {<ai,pi> <an,Pn>}- 

Then for each k with 1 < k < n, <ak,Pk> \= (t>i^ for some ik G /, and so 
P h ° M j(ij4>j, where J = {ii, . . . ,z„}. 

(iii) . Assume (BN) and pi. Then p |= □ \/aeAct^i^ )? ^'^ (^N) 

ph V ° V )' 

JGFin(Act) aeJ 

which says exactly that p has a finite set of initial actions. 

(iv) . Enea.«" + «" is in I 

All the usual finitary calculi are weakly finite branching, and so satisfy 
(BN). However, in general these calculi do not satisfy (FA) (analogously to 
the fact that generating trees over domains do not yield closed sets, although 
they always yield compact ones; cf. |Plo81] ). As a standard counterexample, 
define 

00 = t 

(pk+i = a{04>k)- 

Then for all J G Fin(u;), p \= O A^ej 'Pj^ but p!i^ O Aie^ 

Thus if p can be defined in our calculus, it does not satisfy (FA). Since 
p can be defined in CCS, SCCS (see next section), etc., these calculi are not 
finitary transition systems according to Definition 15.5.141 However, we can 
take the view that if we only take account of observable information via the 
semantics |-], we have collapsed the given system into a finitary one which 
will actually, by Theorems 15.5.201 and I5.5.2H be isomorphic to a subsystem 
(or, topologically, a subspace) of V. 
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Comparison Theorems Resumed 

We now return to the question of finding a suitable correspondence between 
the finitary parts of HML and C. As confirmation of our claim that HML^^ 
is unsatisfactory, we have: 
Observation. HML^j does not characterise 

In fact, 15.2.71 provides a counter-example since, with the notation used 
there, p^^g while HML^(p) C HML^(g). 

We can get an idea of how to extend HML^^ by inspection of the transla- 
tion functions 15.5.31 Although (■)''' introduces infinitary conjunctions, these 
are of a special kind, for which a finitary counterpart can be found. 

Definition 5.5.24 HML^ is the extension of HML^^ with additional atomic 
fomulae of the form 

init(A) (A G Fin(Act)). 

The definition of the satisfaction relation is extended by 

p ^ init(A) = p| & {a G Act : 3g. p A g} C A. 

We can now modify the translation function (■)^ as follows: 
(□Ya,(0,))t = /\[a,](0,)t A init({a, :2G/}). 

Proposition 15.5.41 clearly still holds with this modification, and (■)^ now cuts 
down to a function 

— > HML+. 

There is still a mismatch in the other direction, since (■)* introduces infi- 
nite disjunctions. To overcome this, we have to make the assumption that 
the transition system satisfies (BN) — a mild one, as 15.5.231 and the ensuing 
discussion shows. 

Let C.\j oo be the sublanguage of £oo obtained by the restriction to finite 
conjunctions (but with infinite disjunctions still allowed). 

Proposition 5.5.25 In any transition system satisfying (BN), for allp,q G 
Proc 
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Proof. Just like 15.5.181 I 

Clearly, (■)*, extended by the clause 

(init(A))* = a\J{a{t -.aeA} 
cuts down to a function 

HML+ N£voo. 
We thus arrive at our 

Theorem 5.5.26 (Comparison Theorem (Finitary Case)) With nota- 
tion as in the previous Proposition: 
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5.6 Full Abstraction for SCCS 

So far, we have worked with abstract transition systems, in a syntax-free 
fashion. This degree of abstraction carries a price; we lose compositional- 
ity. Indeed, we need syntax to define compositionahty. Accordingly, in this 
Section we turn to a particular transition system specified by an algebraic 
syntax, namely Milner's SCCS |Mil83] . We equip our domain P with a 
continuous algebraic structure corresponding to the signature of SCCS. Our 
main result is that the resulting denotational semantics for SCCS is fully ab- 
stract |Mil75t IPlo77] with respect to bisimulation for finite terms, and with 
respect to the finitary preorder for recursive terms. As a by-product we will 
show that V is isomorphic to Hennessy's term model |Hen81j . and hence 
obtain a complete axiomatisation of its equational theory as an immediate 
consequence of Hennessy's results. 

Our choice of SCCS is for illustrative purposes, because it is simple and 
yet expressive. Similar accounts could be given for CCS |Mil80j . MEIJE 
[AB84j . ACP |BK84j . etc. Note, however, that our semantics is fully ab- 
stract with respect to the strong congruence in Milner's terminology |Mil83] . 
where all actions are observable. A corresponding treatment of observation 
equivalence |HM85j . where unobservable actions are factored out, is still an 
open problem as far as I know; some hints of a possible approach may be 
gleaned from |Abr87b] . 

We begin by recalling some basic definitions on SCCS from |Mil83|lHen81] . 



We assume familiarity with basic notions of universal algebra; see e.g. |GTW78[ 
IEM85j . 

We fix a set of actions Act, which we assume comes equipped with an 
abelian monoid structure comprising 

• an associative, commutative binary operation which we denote by jux- 
taposition, e.g. ah 

• a unit 1. 

The (one-sorted) signature S of SCCS is then defined as follows: 

Definition 5.6.1 S = {S„}„g^, where S„ is the set of operation symbols of 
arity n in S. 

So = {o,n} 
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El = {a_: a e Act}U {_\A : A C Act} 

U {-[S] : S* is a monoid endomorphism on Act} 
S2 = {+,x} 
S„ = 0, n > 2. 

Thus our version of SCCS only has finite sums (in contrast with |Mil83j ). 
and has a constant for the undefined process as in |Hen81j . 

We define the subsignature S' C S to be obtained by omitting the re- 
striction operators -\A, the relabelling operators -[S], and the synchronous 
product operator x, leaving only the nullary sum O, the binary sum +, pre- 
fixing a_, and the undefined process fl. 

We take the finite processes of SCCS to be the terms over the signature E, 
i.e. the elements of the term algebra T^. Evidently, we can take the elements 
of Ts/ as notations for the finite synchronisation trees ST^. 

Definition 5.6.2 (Operational Semantics) We make into a transi- 
tion system by defining the transition relation and divergence predicate in 
a syntax-directed way, as the least relations satisfying the following axioms 
and rules: 

(on) 



itl+t2)t ' ' (tl+t2)t 



{t\A)^ ' ' t\SW 



ti X tat tiX tat 

(Ta) at A- 1 

T\ ti — y t\ to — ^ t'r, 

{T + L) . \ (T + R) 



tl+t2^ t[ ti+t2^ t'^ 



t\AAt'\A t[S]'At'[S] 



b 



(Tx; 



ti — y t'^ ^2 — ^ ^2 
tl X ^2 — > tl X ^2 
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For an illuminating discussion of the conceptual basis for these and related 
axioms, see |Mil86] . 

We now have a transition system (Ts, Act, — >, t) implicitly defined by l5.6.2[ 
The following proposition gives a more explicit description of this system. 

Proposition 5.6.3 For allt,ti,t2 G Te; 

(b) 

(6) 

=^ b = a Szti = t2 
=^ titortst 
=^ ti — 7- r or 12 — ^ t 

^ 3t.tiAtkt2 = t\ALae A 

=^ n 

=^ 3b,t.ti\tkt2=t[S]ka = Sb 
=^ tit or tat 

=^ 3t[,t'^,bi,b2.U^t',{t = l,2) 
&t = X 4 & a = 6162- 

Proof. By induction on the length of proofs of tt ti ~^ ^2- I 

Now given any E-algebra A, by initiality of there is a unique E- 
homomorphism 



(i)(a) 


01 


(M)(a) 


iit 


{iii){a) 


atl 


(b) 


atl — > ^2 


{iv){a) 


(tl + t2)t 




(tl + t2) A t 


{v){a) 


it\A)t 


(b) 


ti A t2 


{vi){a) 


t[S]t 


(b) 


tl[S]^t2 


vii){a) 


{tl X t2)t 


(b) 


tl X ^2 — > t 



11^ 



which is just another notation for a compositional denotational semantics as 
in |MS76t ISto77t IGor79] . Thus to form a denotational semantics [-J^ based 
on our domain V, it suffices to define each operation in S as a function of 
the appropriate arity over V. We shall in fact define the operations so that 
they are continuous over V. 
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(^) 




(u) 






aP 


iii) 




(iv) 





Definition 5.6.4 We specify a S-structure on T>: 



Restriction: 

{v) {_\A)^ = ^$ G [p ^ V]. l+|opO((7^$) 

where 

aGAct 

is defined by 

QA^l- = {|±|} 

{|<a, if a G A 



otherwise 



I.e. 



gA^ = W\deV.^<a,M>\}Y[ ]J Arf G 

aGA aGAct-A 

where ]J is "source tupling" |WBT85] ). 
Relabelling: 

where 

aGAct aGAct 

is defined by 

gs^^ = ± 
gs^<a,d> = <Sa,^d> 
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Product: 
where 

aeAct aeAct 

is defined by 

/$(x,±) = /$(±,x) = ± 
f(^{<a,d>,<b,e>) = <ab,^{d,e)> 

The only point which needs to be checked to ensure that this definition 
yields well-defined continuous functions is that Qa^, ds^ and /$ are (bi)strict 
and continuous, which is immediate from the definitions. Note that restric- 
tion, relabelling and product are defined recursively, while sum and prefixing 
are interpreted by the basic operations derived from the domain equation 
for V. This corresponds to the fact that restriction, relabelling and product 
can be eliminated (for finite terms) in the equational theory of SCCS modulo 
bisimulation. 

The continuous E- algebra defined by 15.6.41 is denoted "Ds- The following 
is an easy consequence of 15.6.41 and 15.3.101 

Proposition 5.6.5 The semantic function 

l-f : ^ 

cuts down to surjections 

Thus the finite synchronisation trees provide a notation for the finite elements 
oiV. 

We now relate our definitions of the SCCS operations on T> to the tran- 
sition system view of V. 
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Proposition 5.6.6 For all d, di, ^2 £ 1C{T>): 

{i){a) O^; (6) O^^ 

(ii)(a) n^t {b) dP ^ 

{iii){a) a d\. 

(6) a c?i — >■ d2 <^=^ b = a &i di — d2 

{iv){a) (rfi+^ci2)t rfitorrfst 

(6) di d2-^ d <^=^ diA-dord2-^d 

Restriction: 

{v){a) {d\'^A)t ^ dt 

(b) di\'^A^d2 ^ 3ei,e2.rfi Aci, (i = 1,2) 

kei\'^And2Qe2\'^A 
k ae A 

Relabelling: 

{vi){a) {d[sf)t ^ dt 

(b) di[S]^ ^ d2 3ei,e2,6i,62.c?i 4 Cj, (i = 1,2) 

&ei[5p C(i2 Ee2[-Sp 
kSbi^a^ Sb2 

Product: 

{vii){a) {dix'^d2)t di^ord2't 

(b) diX^d2-^d <S=^ 3ui,Vi,bi,Ci {i ^ 1,2). 

di % Uihd2 ^ Vi {i — 1, 2) 
& {ui vi) □ d □ {u2 ^;2) 
& fejCj = a (i = 1, 2). 
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Proof. We give two cases for illustration, 
(v). We define 

e = {{<a, d' \^A>} : <a, d'> ed,ae A} 
U {0 : = or 3<a, d'> ed.a^ A} 

U{{±}:±g4- 

Now 

d\^A = Con{[jQ*) 

= Con{{[jey) by jPb76] p. 477 

= Con{[je) since d e IC{V) 

= Con{{<a,d'\ A> : <a,d'> e dSz a e A} 
U{±:±g4), 

and (v) is readily derived from this description, 
(vii). Similarly to (v), 

di X d2 = Con{{<bib2, ei X e2> : <bi,ei> e di, i = 1,2} 
U {± : ± G rfi or ± G c/2}). I 

Proposition 5.6.7 For all t G Ts, t ~^ 

Proof. Firstly, we define a height function on Ts in the obvious way: 

ht(a(ti, ...,tn) = sup {ht(ti : 1 < i < n} + 1. 
As an easy consequence of 15.6. 3[ we have: 

tAt' =^ ht(t') < ht(t). 

The proposition is proved by induction on ht(t), and cases on the construction 
of t. The cases arising from operations in S' are immediate in the light of 
the parallelism between 15.6.31 and 15.6.61 We give one of the remaining cases 
for illustration. 
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t = ti \^A. Firstly, 



Next, 



tt ^ tit byEXIv) 
I^il t by induction hypothesis 

. t At' 

^ 3d'. A rf' & t'i<^rf' ind. hyp. on ti 

=^ t[ \A |t; \Al^ ind. hyp. on \A 

<!'d'\^A byEXm 
(since \ is monotone) 



=^ 3n. |tp A M & t'<^u bv lSCT 
Similarly, we can show 



t A t' ^ 3m. Iti^ A M & M<^t'. 
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Again, 



=^ 3di,d2. |tip Ac/i, t = l,2 
& rfi □ d □ d2 

kaeA bv lSCT v) 
=^ 3t[,t',.t,^t',, 1 = 1,2 

^ t'l^^di, d2^^t'2 by induction hypothesis 

=^ t^t[\A, i = 1,2 

& t'l \A ~^ \A\^ by induction hypothesis 

= m^FA <^ d,\^A <^d, 

and similarly d^^t'2\A. Altogether, we have t ~^ I'^]'^- I 

As an immediate consequence of this Proposition and 15.3.111 we have 

Theorem 5.6.8 (Full Abstraction for Finite Terms) For allti,t2 E Tj^: 
As further consequences of 15.6.81 we have 

"7") 

• |-] agrees with the syntax-free map |-] defined in Section 5. Indeed, 
t |tp implies CM'^) = '^Ut) = 'CM), which implies [tp = 

• Ts is a finitary transition system, by 15.5.221 

Moreover, we can derive two further characterisations of P. 

Theorem 5.6.9 (i) IC{V) ^ (Ts'/~^, <^/~-^); and therefore 
(n)D - ldl(TsV~^,<''/~^). 

Proof. Immediate from 15.631 and 15.6. 81 I 

We recall the notion of continuous T,-algehra |GTW78i IGue81] . This is 
just a S-algebra whose carrier is a cpo, and whose operations are continuous. 
A homomorphism of such algebras which is continuous on the carriers is a 
continuous T^-homomorphism. The category of these algebras and homomor- 
phisms is denoted CAlg(S). 
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Definition 5.6.10 SCCS-Alg is the full subcategory of CAlg(S) of those 
algebras A satisfying 

Theorem 5.6.11 V-s is initial in SCCS-Alg. 

Proof. We begin by recalling a useful fact about continuous algebras ( |Gue81j 
Proposition 3.12). Suppose ^ is a continuous algebra whose carrier A is an 
algebraic domain, such that the finite elements }C{A) form a E-subalgebra. 
Then, given any monotonic S-homomorphism 

/ : /C(A) ^ B 

to a continuous S-algebra B, there is a unique extension 

f:A^B 

to a continuous S-homomorphism on A. 

By I5.6.5[ }C(V) is closed under the S-operations. Hence it suffices to 
construct a unique monotone S-homomorphism 

/ : IC{V) ^ A 

to any A in SCCS-Alg. Given d e }C{V), by [EES] there is t G with 
[t] = and the only possible definition for / giving a S-homomorphism is 

This establishes uniqueness. For existence, 

^ h^^h bylEES] 
since A is in SCCS-Alg, and so / is well-defined. Similarly, 

and so / is monotone. I 

The purely algebraic part of SCCS which we have developed so far only 
allows the description of finite processes. We now extend the calculus with 
recursion. 
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Definition 5.6.12 We fix a set of variables Var, ranged over by x, y, z. Tlie 

syntax of recursive terms RECg, is tlien defined by 



t ::= (T(ti, . . . , t„) (cT G S„) | x | rec x.t 

In an obvious way, we can take as a subset of RECs. Note tliat rec x.t 
is a variable-binding construct. The set of closed recursive terms is denoted 
CRECe. 

We now extend the definition of the operational semantics to CRECs: 

t[Q/x]t t[recx.t/x]^t' 

recx.tt rec x.t ^t' 

We thus obtain a transition system (CRECs, Act, — '\). It is not too hard 
to see that this system is weakly finite-branching, and therefore by 15.5.231 
satisfies (BN). However, most of the other finiteness conditions on transition 
systems fail, as the following examples show. 



Examples 

(1) Failure of sort-finiteness. Assume Act is infinite, in particular that 
{ttn} is a sequence of distinct actions, and that 5 is a relabelling such that 

San = a„+i {n G w). 

Then 

rec X. aoO -|- x[S] 
has the behaviour described by the synchronisation tree 

a„o + n. 

(2) Failure of (FA), and <^ ^ <^. By the example following EOSl it 
suffices to show that the synchronisation tree 

p = ^ a"0 + ^] 

can be defined in SCCS to disprove (FA); while the same example shows that 
7^ since 
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and we can define = recx.ax. But using unguarded recursion (cf. |Mil83] ). 
we can define 

p = (rec X. (Aa + (Aa x x))) \ {a} 

where Aa = rec y. al'^ + ly. 

(3) 7^ ^i^- Again, following the examples after I5.5.T0| it suffices to show 
that the synchronisation trees 

p = a(^6„0) + fi 

q = ^ a( brr,o + + n 

neN meN-{n} 

are definable in SCCS. Clearly p is definable in the same way as Example (1). 
For q, we need some additional assumptions on Act: 

• There are c, {c„} G Act such that, for fc, m G N: 

c'-'^^Cm = bm {k^ m) 

where c^'^-' = ^j^^^, i-e. the product in the monoid Act. 

k 

• There is a relabelling S such that 

Scn = Cn+i {n G N). 

(To see that these requirements can be met, let Act be the free abelian monoid 
over the generators 0, a, bk, c, Ck {k G N) subject to the relations 

Ox = xO = 0, c^^^Cn, = bm {k^m), c^^^c^ = fe^+i 
for /c, m G N. Let S be the endomorphism induced by 

50 = Sa = Sbk = 5*0 = 0, Sck = c^+i, 
which is well-defined since S preserves the relations.) 
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Then we can define 

q = rec x. ar + (IcO x x) 
r = recy. CiO + x[S], 

and calculate: 

r = ^CnO + n, 

n 

q = ^ ( JJ IcO X ar) + n 

neN ^=1 

= ^ a(c(")0 X ^ c„0 + f^) +n 

neN meN 
= ^ a( ^ (c(")c„)0 + + O 

neN meN 
= ^ a( ^ 6„0 + r]) + 

neN meN-{n} 

as required. 

By contrast with Example (3), Hennessy claims in |Hen81] Theorem 4.1 
that <^ = <^ for sees. The defect in his argument occurs in the definition 
of p*^"-* at the start of section 4 of [HenSlj : there appears to be an implicit 
assumption that SCCS is sort-finite. Indeed, as an easy consequence of our 
work in the previous Section, we have 

Proposition 5.6.13 In any sort-finite transition system satisfying (BN): 
<^ = < 

Proof. Let p,q & Proc in such a system. 

p^^q =^ ^ c^{q) 

=^ Cyooip)^Cyooiq) (BN) 

=^ HML^(p) C HML^(g) 

=^ P^ujl sort-finiteness. I 

Nevertheless, Hennessy's results on full abstraction are valid when <^ is 
replaced by and we shall make use of them shortly. 
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Firstly, we need to extend our denotational semantics [■] to recursive 
terms. This is done in the standard way; we introduce environments to deal 
with variables, and interpret recursion by least fixed points. 

Definition 5.6.14 Denotational semantics of recursive terms: 

Env = V"^^' 

|-P : RECs ^ Env ^ D 

|a(ti,...,t„)pp ^ a^(Itipp,...,[t„pp) 
|rec X. tf^p = pdeV. {tf^ p[x ^ d]. 

We now want to extend our Full Abstraction Theorem to recursive terms. 
We can use Hennessy's results in |Hen81l| to get a cheap proof. In that paper, 
Hennessy constructs a term model X with the following properties: 

1. X is an algebraic continuous S-algebra all finite elements of which are 
definable in T^. 

2. X is fully abstract for recursive terms with repect to the finitary pre- 
order; for all ti,t2 e CRECs: 

Combining (1) and (2) with Theorem 15.6. llj we obtain 

Theorem 5.6.15 Vj^ and I are isomorphic as continuous Ti-algebras. 

Let h : — > X be the isomorphism given by Theorem 15. 6. 151 It is immediate 
that h preserves denotations of terms in T^: 

Vt e Ts. hiltf) = Itf- 
To extend this to recursive terms we need one further piece of machinery. 
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Definition 5.6.16 Let ^ be the least E-congruence over RECs generated 
by 

rec X. t ~ t[rec x. t/x]. 

Let tu be the term obtained from t by replacing each subexpression of the 
form rec x. t' by Vt. The syntactic approximants of t are defined by: 

SA{t) ^ {4 : t' ^ t}. 

Note that SA{t) C Ts for all t e CRECs- 

Now the following is standard (cf. e.g. |GTWW77] ): 

Lemma 5.6.17 (Syntactic Approximation) For all t G CRECs.- 

Hennessy proves the corresponding result for |-]-^ as his Lemma 3.4. 
Proposition 5.6.18 For all t G CRECs.' 

hiltf) = Itf- 
Proof. 

MM^) = h{Um^--t'eSAit)}) hyEEm 

= UiHlt']^) ■ e SA{t)} h is continuous 
= Wf -t' ^SA{t)} bv [5XT5l 

= I^f ■ I 

Theorem 5.6.19 (Full Abstraction for Recursive Terms) For allti,t2 G 

CRECs.- 

Proof. 

by 15.6.181 and since h is an order-isomorphism. I 

Since V is algebraic, this result extends to terms with variables in the 
obvious way. It follows that the axiomatisation of the order and equality 
relations between terms of SCCS presented in |Hen81] is sound and complete 
for Pe. 
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Chapter 6 



Applications to Functional 
Programming: The Lazy 
Lambda-Calculus 

6.1 Introduction 

In this Chapter, we turn to our second case study, which concerns the founda- 
tions of functional programming. Once again, we aim not merely to exemplify 
our theory, but to use it in order to break some new ground. 

The commonly accepted basis for functional programming is the A-calculus; 
and it is folklore that the A-calculus is the prototypical functional language 
in purified form. But what is the A-calculus? The syntax is simple and 
classical; variables, abstraction and application in the pure calculus, with 
applied calculi obtained by adding constants. The further elaboration of the 
theory, covering conversion, reduction, theories and models, is laid out in 
Barendregt's already classical treatise |Bar84] . It is instructive to recall the 
following crux, which occurs rather early in that work (p. 39): 

Meaning of A-terms: first attempt 

• The meaning of a A-term is its normal form (if it exists). 

• All terms without normal forms are identified. 

This proposal incorporates such a simple and natural interpretation of the A- 
calculus as a programming language, that if it worked there would surely be 
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no doubt that it was the right one. However, it gives rise to an inconsistent 
theory! (see the above reference). 



Second attempt 

• The meaning of A-terms is based on head normal forms via the notion 
of Bohm tree. 

• All unsolvable terms (no head normal form) are identified. 

This second attempt forms the central theme of Barendregt's book, and gives 
rise to a very beautiful and successful theory (henceforth referred to as the 
"standard theory"), as that work shows. 

This, then, is the commonly accepted foundation for functional pro- 
gramming; more precisely, for the lazy functional languages, which repre- 
sent the mainstream of current functional programming practice. Examples: 
MIRANDA |Tur85]. LML fAug84], LISPKIT |Hen80] . ORWELL |Wad85j . 
PONDER [Fai 85j. TALE [BvL86j. But do these languages as defined and 
implemented actually evaluate terms to head normal form? To the best of 
my knowledge, not a single one of them does so. Instead, they evaluate to 
weak head normal form., i.e. they do not evaluate under abstractions. 



Example 

Xx.{Xy.y)M is in weak head normal form, but not in head normal form, since 
it contains the head redex {Xy.y)M. 

So we have a mismatch between theory and practice. Since current prac- 
tice is well-motivated by efficiency considerations and is unlikely to be aban- 
doned readily, it makes sense to see if a good modified theory can be devel- 
oped for it. To see that the theory really does need to be modified: 

Example 

Let Q = {Xx.xx){Xx.xx) be the standard unsolvable term. Then 
Xx.Q = Q 

in the standard theory, since Xx.Q is also unsolvable; but Xx.Q is in weak 
head normal form, hence should be distinguished from Q in our "lazy" theory. 
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We now turn to a second point in which the standard theory is not com- 
pletely satisfactory. 



Is the A-calculus a programming language? 

In the standard theory, the A-calculus may be regarded as being characterised 
by the type equation 

D=[D^ D] 

(for justification of this in a general categorical framework, see e.g. [ScoSObj . 
|Koy82i |LS86]). 



It is one of the most remarkable features of the various categories of 
domains used in denotational semantics that they admit non-trivial solutions 
of this equation. However, there is no canonical solution in any of these 
categories (in particular, the initial solution is trivial - the one-point domain). 

I regard this as a symptom of the fact that the pure A-calculus in the 
standard theory is not a programming language. Of course, this is to some 
extent a matter of terminology, but I feel that the expression "programming 
language" should be reserved for a formalism with a definite computational 
interpretation (an operational semantics). The pure A-calculus as ordinarily 
conceived is too schematic to qualify. 

A further indication of the same point is that studies such as Plotkin's 
"LCF Considered as a Programming Language" |Plo77] have not been carried 
over to the pure A-calculus, for lack of any convincing way of doing do in the 
standard theory. This in turn impedes the development of a theory which 
integrates the A-calculus with concurrency and other computational notions. 

We shall see that by contrast with this situation, the lazy A-calculus we 
shall develop does have a canonical model; that Plotkin's ideas can be carried 
over to it in a very natural way; and that the theory we shall develop will run 
quite strikingly in parallel with our treatment of concurrency in the previous 
Chapter. 

The plan of the remainder of the Chapter is as follows. In the next section, 
we introduce the intuitions on which our theory is based, in the concrete 
setting of A-terms. We then set up the axiomatic framework for our theory, 
based on the notion of applicative transition systems. This forms a bridge 
both to the standard theory, and to concurrency and other computational 
notions. Just as in Chapter 4, we introduce a domain equation for applicative 
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transition systems, and the corresponding domain logic. We prove Duality, 
Characterisation, and Final Algebra theorems. 

We then show how the ideas of |Plo77j can be formulated in our setting. 
Two distinctive features of our approach are: 

• the axiomatic treatment of concepts and results usually presented con- 
cretely in work on programming language semantics 

• the use of our domain log IC cLS cL tool in studying the equational theory 
over our "programs" (A-terms). 

Our results can also be interpreted as settling a number of questions and con- 
jectures concerning the Domain Interpretation of Martin-Lof 's Intuitionistic 
Type Theory raised at the 1983 Chalmers University Workshop on Semantics 
of Programming Languages [DNPS83j . 

Finally, we consider some extensions and variations of the theory. 
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6.2 The Lazy Lamb da- Calculus 



We begin with the syntax, which is standard. 

Definition 6.2.1 We assume a set Var of variables, ranged over by x,y,z. 
The set A of A-terms, ranged over by M, N, P, Q, R is defined by 

M ::= x\ Xx.M \ MN. 

For standard notions of free and bound variables etc. we refer to |Bar84j . 
The reader should also refer to that work for definitions of notation such as: 
FV(M), C[-], A^. Our one point of difference concerns substitution; we write 
M[N/x] rather than M[x := N]. 

Definition 6.2.2 The relation M\}.N ("M converges to principal weak head 
normal form A^") is defined inductively over A° as follows: 

• Xx.Mi}.Xx.M 

M\^\x.P P[N/x\\^Q 

Notation 

= 3A^.M^A^ ("M converges") 
= -(M^) ("M diverges") 

It is clear that J| is a partial function, i.e. evaluation is deterministic. 

We now have an (unlabelled) transition system (A°,_J|_). The relation JJ- 
by itself is too "shallow" to yield information about the behaviour of a term 
under all experiments. However, just as in the study of concurrency, we shall 
use it as a building block for a deeper relation, which we shall call applicative 
hisimulation. To motivate this relation, let us spell out the observational 
scenario we have in mind. 

Given a closed term M, the only experiment of depth 1 we can do is to 
evaluate M and see if it converges to some abstraction (weak head normal 
form) Ax. Ml. If it does so, we can continue the experiment to depth 2 
by supplying a term A^^i as input to Mi, and so on. Note that what the 
experimenter can observe at each stage is only the fact of convergence, not 
which term lies under the abstraction. We can picture matters thus: 
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Stage 1 of experiment: MJJ-Ax.Mi; 

environment "consumes" A, 
produces Ni as input 

Stage 2 of experiment: Mi[iVi/x]|l . . . 

Definition 6.2.3 (Applicative Bisimulation) We define a sequence of re- 
lations {<fc}feeu; on A°: 

M<qN always 

M<i^^^n ^ Mij.Xx.Mi SA^i.TV^Ay-ATi & VP G A°. 



M,[P/x]<,N,[P/ 



^ x\ 

M<^N = \/keuj.M<f^N 

Clearly each <^ and <^ is a preorder. We extend to A by: 

M<^N = V(T : Var ^ A°. Ma<^Na 

(where e.g. Ma means the result of substituting ax for each x G FV{M) in 
M). Finally, 



M N = M<^N & N<^M. 



Analogously to our treatment of bisimulation in the previous Chapter, <^ 
can be shown to be the maximal fixpoint of a certain function, and hence to 
satisfy: 

M<^N ^ Mij.Xx.Mi 3A^i. A^^Ay.A^i & VP G A°. 

Mr[P/x]<''N,[P/y] 

Further details are given in the next section. 

The applicative bisimulation relation can be dexcribed in a more tradi- 
tional way (from the point of view of A-calculus) as a "Morris-style contextual 
congruence" |Mor68l [PloTTl IMil77l [Bi[?84] . 
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Definition 6.2.4 The relation < on A° is defined by 

M<^N = VC[-] e A°.C[M]^ C[iV]^. 
This is extended to A in the same way as 
Proposition 6.2.5 <^ = 

This is a special case of a result we will prove later. Our proof will make 

essential use of domain logic, despite the fact that the statement of the result 
does not mention domains at all. The reader who may be sceptical of our 
approach is invited to attempt a direct proof. 

We now list some basic properties of the relation <^ (superscript omit- 
ted). 

Proposition 6.2.6 For all M,N,P e A; 
(i) M<M 

(a) m<n&lN<p =^ M<p 

(ill) M<N =^ M[P/x]<N[P/x] 

(iv) M<N P[M/x]<P[N/x] 

(v) Xx.M Xy.M[y/x] 

(vi) M<N =^ Xx.M<Xx.N 

(vii) Mi<Niii^ 1,2) M,M2<N,N2. 

Proof. {i)-{iii) and {v)-{vi) are trivial; {vii) follows from {ii) and {iv), 
since taking Ci = [-jMs, MiM2<NiM2, and taking C2 = A^i[-], NiM2<NiN2, 
whence MiM2<A^iA^2- It remains to prove (iv), which by 2.5 is equivalent to 

M<'^N =^ P[M/x]<^P[N/x]. 

We rename all bound variables in P to avoid clashes with M and N, and 
replace x by [■] to obtain a context P[-] such that 

P[M/x] = P[M], P[N/x] = P[N]. 

Now let C[-] e AO and a e Var ^ AO be given. Let Ci[-] = C[P[-]a]. M<^ N 
implies 
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which, since {P[M/x\)a = {P[-]a)[Ma], yields 

C[iP[M/x])a]i^ ^ C[iP[N/x])a% 
as required. I 

This Proposition can be summarised as saying that <^ is a precongruence. 
We thus have an (in)equational theory Xi = (A, =), where: 

Xi ^ M ON = M<^N 
Xi ^ M = N = M N. 
What does this theory look like? 

Proposition 6.2.7 (i) The theory X jBarS^ is included in Xi; in particular, 

Xi h {Xx.M)N = M[N/x] {(3). 
(a) fl = {Xx.xx){Xx.xx) is a least element for i.e. 

Xi h nox. 

(Hi) [f]) is not valid in Xi, e.g. 

Xi f- Xx.^x = n, 

but we do have the following conditional version of rj: 
(^r^) Xi h Xx.Mx = M (M^, x FV{M)) 

(M^ = Va G Var ^ A°. (Mct)^). 

(iv) YK is a greatest element for i.e. 

A£ h X □ YK. 

Proof, (i) is an easy consequence of 16.2.61 
(zz). nil, hence n<^M for all M e A°. 

(Hi). Xx.flx^iQ, since {Xx.flx)\}-. Now suppose Mi}., and let a : Var — )• A° 
be given. Then {Ma)\}.Xy.N, and {Xx.flx)(j\j,Xx.flx. For any P G A", 

(Ma)PUg ^ {{Ma)x)[P/x]\l.Q since x ^ FV{M), 
^ {{Xx.Mx)a)P\l.Q, 
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and so M ~^ \x.Mx, as required. 

(iv). Note that Y'Kij.Xy.N, where = (Ax.K(xx))(Ax.K(xx)), and that for 
all P, 

N[P/y]Uy-N. 
Hence for all Pi, ... , P„ (n > 0), 
YKPi...P„^, 

and so M<^YK for all M G A°. I 

To understand (iv), we can think of YK as the infinite process 

A 

o 

solving the equation 
e = Ax.e 

This is a top element in our applicative bisimulation ordering because it 
converges under all finite stages of evaluation for all arguments — the experi- 
menter can always observe convergence (or "consume an infinite A-stream"). 

We can make some connections between the theory Xi and |Lon83] . as 
pointed out to me by Luke Ong. Firstly, I6.2.7( ii) can be generalised to: 

• The set of terms in A° which are least in Xi are exactly the POq terms 
in the terminology of |Lon83] . 

Moreover, YK is an Ooo term in the terminology of |Lon83] . although it is 
not a greatest element in the ordering proposed there. 
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6.3 Applicative Transition Systems 

The theory A£ defined in the previous section was derived from a particular 
operational model, the transition system (A°, JJ,)- What is the general concept 
of which this is an example? 

Definition 6.3.1 A quasi- applicative transition system is a structure {A, ev) 
where 

ev: {A^ A). 

Notations: 

(i) aJ|/ = a e dom ev & ev{a) = f 
{it) aJJ, = a G dom ev 
{Hi) off- = a ^ dom ev 

Definition 6.3.2 (Appficative Bisimulation) Let {A, ev) be a quasi-ats. 
We define 

F : Rel{A) Rel{A) 

by 

F{R) ^ {{a,b) : ai^f =^ bij-g k^c e A. f{c)Rg{c)}. 

Then R e Rel{A) is an applicative bisimulation iff i? C and <^ G 

Rel{A) is defined by 

a<^b = aRb for some applicative bisimulation R. 

Thus <^ = U{-^ ^ Rel{A) : R C F{R)}, and hence is the maximal fixpoint 
of the monotone function F. Since the relation J| is a partial function, it is 
easily shown that the closure ordinal of F is < cu, and we can thus describe 
<^ more explicitly as follows: 

• a<^b = V/c e a;. a<^b 

• a<Qb always 

• a<,^,b = ai^f =^ bi}-gkyceA.f{c)<,g{c) 
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. a 6 = a<^h & h<^a. 

It is easily seen that and also each is a preorder; ~^ is therefore an 
equivalence. 

We now come to our main definition. 

Definition 6.3.3 An applicative transition system (ats) is a quasi-ats (A, ev) 
satisfying: 

Va,6,cG Aa4/&&<''c ^ /(&)<''/(c). 
An ats has a well-defined quotient ef/~'^), where 

ev/r^ (H) = < 

I undefined otherwise. 

The reader should now refresh her memory of such notions as applicative 
structure, combinatory algebra and lambda modelhom. |Bar84t Chapter 5]. 

Definition 6.3.4 A quasi- applicative structure with divergence is a struc- 
ture {A, ■ , 11) such that (A, ■ ) is an applicative structure, and '(I C A is a 
divergence predicate satisfying 

xi\ =^ {x- y)i\. 

Given (A, ■ , fl'), we can define 

a<^6 = =^ 6^ & Vc G A. a- c<\ c 

as the maximal fixpoint of a monotone function along identical lines to l6.3.2[ 
Applicative transition systems and applicative structures with divergence 
are not quite equivalent, but are sufficiently so for our purposes: 

Proposition 6.3.5 Given an ats B = {A, ev), we define A = {A, • , ft) by 

I a, at 
a- = < 

[ fib) a\^f. 

Then 
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and moreover we can recover B from A by 

j 6 I-)- a- 6, aJI 
ev{a) = < 

I undefined otherwise. 

Furthermore, ■ is compatible with <^ , i.e. 

a-i'^'^h {i = 1,2) ^ Or a2<'^6r 62- I 

Wc now turn to a language for talking about these structures. 

Definition 6.3.6 We assume a fixed set of variables Var. Given an applica- 
tive structure A = {A, • ), we define CL{A), the combinatory terms over A, 

by 

• Var C CL{A) 

• {ca-.aeAjC CL{A) 

• M,NeCL{A) MNeCL(A). 

Let Env{A) = Var — )> A. Then the interpretation function 

0"^ : CL{A) Env{A) A 
is defined by: 

Given an ats A = {A,ev), with derived applicative structure {A, - ), the 
satisfaction relation between A and atomic formulae over CL{A), of the 
forms 

is defined by: 
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while 



4) = Vp G Env{A). A,p^ (f). 

This is extended to first-order formulae in the usual way. 

Note that equality in CL{A) is being interpreted by bisimulation in A. 
We could have retained the standard notion of interpretation as in |Bar84] 
by working in the quotient structure /~'^). This is equivalent, in 

the sense that the same sentences are satisfied. 

Definition 6.3.7 A lambda transition system (Its) is a structure [A, ev, k, s), 
where: 

• {A, ev) is an ats 

• k,s E A, and A satisfies the following axioms (writing K, S for c^, Cg): 

• Kxy = X 

• S-ll, SxJJ., Sxyl}- 

• Sxyz = {xz){yz) 

We now check that these definitions do indeed capture our original ex- 
ample. 

Example 

We define i = (A°, ev), where 



£ is indeed an ats by I6.2.6( it'). Moreover, it is an Its via the definitions 
k = Xx.Xy.x 
s = Xx.\y.\z.{xz){yz). 
We now see how to interpret A-terms in any Its. 





undefined 



otherwise. 
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Definition 6.3.8 Given an Its A, wc define A(^), the A-terms over A, by 
the same clauses as for CL{A), plus the additional one: 

• X e Var, M e A(^) ^ Xx.M e A(^). 

We define a translation 

{■)CL : A(^) ^ CL{A) 

by 

{x)cL = X 
{Ca)cL = Ca 

{MN)cL = {M)cl{N) CL 
{Xx.M)cL = X*x.{M)cL 

where 

X*x.x = I(=SKK) 
X*x.M = KM {x^FV{M)) 
X*x.MN = S{X*x.M)(X*x.N). 

We now extend [•] to A(^) by: 

^ [(m)clI^ 

Definition 6.3.9 We define two sets of formulae over A: 

• Atomic formulae: 

AF = {M ^ N, M = N, Mt, Nf \ M,N e A} 

• Conditional formulae: 

CF = {/\Mii^A/\Njt^F:FeAf,Mi,NieA, 

iei jeJ 
I, J finite} 
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Note that, taking J = J = 0, AF C CF. Now given an Its A, '^{A), the 
theory of A, is defined by 

Q{A) = {C eCF -.A^C}. 

We also write for the restriction of Q{A) to closed formulae; and given 

a set Con of constants and an interpretation Con — A, we write '^{A, Con) 
for the theory of conditional formulae built from terms in A(Con). 

Example (continued). We set X£ = 9(^). This is consistent with our 
usage in the previous section. We saw there that Xi satisfied much stronger 
properties than the simple combinatory algebra axioms in our definition of 
Its. It might be expected that these would fail for general Its; but this is to 
overlook the powerful extensionality principle built into our definition of the 
theory of an ats through the applicative bisimulation relation. 

Proposition 6.3.10 Let A be an ats. The axiom scheme of conditional 
extensionality overCL{A): 

(^ext) Mlj^kNi^ =^ ([Vx.Mx = Nx] M = N) 

{x ^ FV{M) U FV{N)) 

is valid in A. 

Proof. Let p e Env{A). 

h M\^kN\^k'ix.Mx = Nx 

since x ^ FV{M) U FV{N) 

A,p ^ M = N. I 

Using this Proposition, we can now generalise most of 16. 2. 71 to an arbitrary 
Its. 
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Theorem 6.3.11 Let A = {A,ev,k,s) be an Its. Then 
(i) (A, .,/c,s) is a lambda model, and hence A C 
(a) A satisfies the conditional t] axiom scheme: 

{i}.r]) Mij. Xx.Mx = M {x ^ FV{M)) 

(Hi) For all M E A^: 

Xe h Ml}. A ^ 

(%v) ^ 1= X □ YK. 

(v) ^ is a precongruence in Q{A). 

Proof, (i). Firstly, by the very definition of hs, ^ is a combinatory algebra. 
We now use the following result due to Meyer and Scott, cited from |Bar84t 
Theorem 5.6.3, p. 117]: 

• Let be a combinatory algebra. Define 
1 = li = S(KI), 

U+i = S(Klk). 

Then is a lambda model iff it satisfies 

(I) Vx. ax = bx =^ la = lb 
(II) l2K = K 
(III) l3S = S. 

Thus it is sufficient to check that A satisfies (I)-(III). For (I), note firstly 
that A \= la\j,x & 16-11 by the convergence axioms for an Its. Hence we can 
apply 16.3. 101 to obtain 

A \= [Vx. lax = Ibx] =^ la = lb. 

We now assume \/x.ax = bx and prove \/x. lax = Ibx: 

lax = S(KI)ax 

= (Kl)x(ax) 

= {KI)x{bx) 

= S(KI)6x 

= Ibx. 
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(II) and (III) are proved similarly. 

(ii). Let p G Env{A), and assume A, p |= MJ|. We must prove that 

A, p 1= \x.Mx = M. 
Firstly, note that for any abstraction Xz.P, 

A 1= Xz.Pl^ 

by the definition of X*z.P and the convergence axioms for an Its. Thus since 
X FV{M), we can apply (Jj-ext) to obtain 

A, p 1= [Vx. {Xx.Mx)x = Mx] Xx.Mx = M. 

It is thus sufficient to show 

A 1= {Xx.Mx)x = Mx. 

But this is just an instance of (/3), which A satisfies by (i). 
(in). We calculate: 

^ A h M = Xx.N 
^ A ^ M = Xx.N 
A ^ M\^, 

since A \= Ax.A^JJ., as noted in (n). 

(iv) . By (i) and (iii), 

A 1= YK^ & Vx. (YK)x = YK. 
Hence we can use the same argument as in I6.2.7( iv) to prove that 
A h xCYK. 

(v) . This assertion amounts to the same list of properties as Proposition 
I6.2.6[ but with respect to Q'(^). The only difference in the proof is that 
I6.2.6( vii) follows immediately from 16.3.51 and the fact that A is an ats, and 
can then be used to prove I6.2.6( iv) by induction on P. I 

Part (iii) of the Theorem tells us that all the closed terms which we expect 
to converge must do so in any Its. What of the converse? For example, do 
we have 

A 1= 

in every Its? This is evidently not the case, since we have not imposed any 
axioms which require anything to be divergent. 
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Observation 6.3.12 Let A = {A,ev) be an ats in which ev is total, i.e. 
dom ev = A. Then '^{A) is inconsistent, in the sense that 

A 1= X = y. 

This is of course because the distinctions made by apphcative bisimulation 
are based on divergence. 

In the light of this observation and I6.3.1H it is natural to make the 
following definition in analogy with that in |Bar84] : 

Definition 6.3.13 An Its A is sensible if the converse to l6.3.1lT iii) holds, 
i.e. for all M G A°: 

A ^ Mij. Xi h 3x,N. X h M = Xx.N. 

(The second equivalence is justified by an appeal to the Standardisation 
Theorem |Bar84j .) 
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6.4 A Domain Equation for Applicative Bisim- 
ulation 

We now embark on the same programme as in the previous Chapter; to 
obtain a domain-theoretic analysis of our computational notions, based on a 
suitable domain equation. What this should be is readily elicited from the 
definition of ats. The structure map 

ev: {A^ A) 

is partial; the standard approach to partial maps in domain theory [pace 
Plotkin's recent work on predomains |Plo85j ) is to make them into total ones 
by sending undefined arguments to a "bottom" element, i.e. changing the 
type of ev to 

A^{A^ A)^. 

This suggests the domain equation 

D = {D ^ D)^ 

i.e. the denotation of the type expression rect.(t — > t)_L. This equation is 
composed from the function space and lifting constructions. Since SDom is 
closed under these constructions, D is a Scott domain. Indeed, by the same 
reasoning it is an algebraic lattice. The crucial point is that this equation 
has a non-trivial initial solution, and thus there is a good candidate for a 
canonical model. To see this, consider the "approximants" D^, with Dq = 1, 
Dk+i = (Dk ^Dk)^. Then 

D, = (l^l)x = (l)x = 

D2 = (O ^ 0)_L, with four elements 



etc. We now unpack the structure of D. Our treatment will be rather cursory, 
as it proceeds along similar lines to our work in the previous Chapter. Firstly, 
there is an isomorphism pair 

unfold : D ^ {D ^ D)±, 
fold : (D D)_L ^ D. 
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Next, we recall the categorical description of lifting, as the left adjoint to the 
forgetful functor 

U : Domx — > Dom 

where Dom^ is the sub-category of strict functions. Thus we have: 

• A natural transformation up : /Dom — > U o 

• For each continuous map f : D ^ UE its adjoint 

lift(/) : (D)^ E. 

Concretely, we can take 

{D)^ = {±} U {<0,d> \deD} 
X C.y = X — J- 

or X = <0, d> ky ^ <0, d'> kdQo d' 
up^((i) = <0,d> 
lift(/)(±) ^ 
lift(/)<0,(i> = f{d). 

We can now define 

ev:D^{D^D) 

by 



ev{d) 



/, unfold(d) - <0, /> 

undefined unfold (o?) = _L. 



Thus {D, ev) is a quasi-ats, and we write d^ etc. Note that we can 

recover d from ev{d) by 



d 



fold(<0,/>), #/ 



The final ingredient in the definition of D is initiality. The only direct con- 
sequence of this which we will use is contained in 
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Theorem 6.4.1 D is internally fully abstract, i.e. 

Proof. Unpacking the definitions, we see that for all d' e D: 

d\Zd' <^ ^ d%g & Vd" e D. f{d") □ g{d"). 

Thus the domain ordering is an applicative bisimulation, and so is included 
in n.^ . For the converse, we need some additional notions. We define dk, fk 
for d e D, f e [D ^ D], k e u by: 

dot 

dt ^ dkt 

dij,f =^ 4+iJ|/fe 

fk-d^ {fd)k. 

We can use standard techniques to prove, from the initiality of D: 
• We D.d^\_\dk. 

The proof is completed with a routine induction to show that: 

VA; e uJ.d<^d' ^ dk ^ d^ I 

As an immediate corollary of this result, we see that D is an ats. We thus 
have an interpretation function 

[•]-° : CL{D) Env{D) D. 
We extend this to K{D) by: 

lAx.Mjf = fold(up(Aci G D.IM\%^,{)). 
Note that the application induced from (D, ev) can be described by 

d- d' = y\h{Ap) unfold(d) d' 

where 

Ap -.[D ^ D]^ D ^ D 
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is the standard application function; and is therefore continuous. This to- 
gether with standard arguments about environment semantics guarantees 
that our extension of |]^ is weU-defined. Note also that |Aa;.M]^ ^ _L£), as 
expected. 

We can now define 

k = lXx.Xy.xjf, 

s = lXx.Xy.Xz.{xz){yz)]p 

for D. It is straightforward to verify 

Proposition 6.4.2 D is an Its. I 

Thus far, we have merely used our domain equation to construct a par- 
ticular Its D. However, its "categorical" or "absolute" nature should lead us 
to suspect that we can use D to study the whole class of Its. The medium 
we will use for this purpose is once again a suitable domain logic. 
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6.5 A Domain Logic for Applicative Transi- 
tion Systems 

Definition 6.5.1 The syntax of our domain logic L is defined by 

i I A -0 I (0 ^ i>)^ 

Definition 6.5.2 (Semantics of C) Given a quasi ats we define tfie 
satisfaction relation C ^ x £: 

a t always 
Notation: 

£(a) = {0 e £ : a 

A \^ (f) — ip = Vae^l.a (f) <(=^ a 

A = {t^t)± 
an^b = C{a) C £(6). 

Note that: Va e A. aj| <(=^ a A. 

Lemma 6.5.3 Let A he a quasi ats. Then 

ya,b e A.a^^ b =^ a b. 

Proof. We assume a b and prove E Ca |=^ (p ^ b |=^ by 
induction on (p. The non-trivial case is (0 — >■ 

• a 1=^ (0 ^- V')_L 

=^ 6^^&Vc./(c)C^^(c) 

^ Vcc K ^ /(c)C^^(c)&/(c) ^ 

^ yc.c \=A (j) =^ g{c) 1=^ ^ ind. hyp. 

To get a converse to this result, we need a condition on A. 
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Definition 6.5.4 A quasi ats A is approximable iff 
ya,bi, . . . ,bn & A.abi . . . 6„J| =^ • • • , 0„. 
« 1=^ (01 ^ ■ ■ ■ (0n ^ A)^ ■ ■ & &i 1=^ 1 < i < n. 

Tliis is a natural condition, wliicli says tliat convergence of a function appli- 
cation is caused by some finite amount of information (observable properties) 
of its arguments. 

As expected, we have 

Theorem 6.5.5 (Characterisation Theorem) Let A be an approximable 
quasi ats. Then 

Proof. By 5.3, <^ C <'-'. For the converse, suppose a^^b. Then for some 
k, &, and so for some Ci, ■ ■ ■ ,Ck E A: 

aci - ■■ Ck4 kbci - ■■ Cki\. 

By approximability, for some (pi, ■ ■ ■ ,(f)k & C, 

a (01 • • • {(Pk A)_L • • •)± kbi (pi, l<i< k. 

Clearly b !f^a {(pi ^ ■ • • {(pk X)±-- ■)±, and so I 
As a further consequence of approximability, we have: 

Proposition 6.5.6 An approximable quasi ats is an ats. 

Proof. Suppose aJJ./ and b<^c. We must show f{b)<^f{c). It is sufficient 
to show that for all /c e a;, di, . . . , dfc e A: 

f{b)di...dk\^ /(c)di...4^. 

Now f{b)di . . . dk\y implies abdi . . . dk\y; hence by approximability, for some 
0,01, . . .0fc e £: 

« 1=^ (01 • • • (0fc A)_L • • ■)± 

and 

b 0> bi <t>h 1 < « < k. 

By 5.5, c 0, and so abdi . . .d^ \^a A, and /(c) di . . . djfcJJ. as required. I 
We now introduce a proof system for assertions of the form (p < ip, (p — ip 
(0,V'e£). 



187 



Proof System For L 

(REF) < 

(TRANS) 

(j) < ijj ijj < (f) 

(f) < ijj < (f) 
(j) < t 

< 01 A 02 

0A'0<0 (f) Alp <ip 

02 < 01 ^1 < ^2 
(01 ^ V'Ox < (02 ^ ^2)± 

A) (0 ^ -01 A '02)± = (0 ^ -01)^ A (0 ^ '02)± 

t) (0 ^ t)± < (t ^ t)±. 

We write JC \- A or just h A to indicate that an assertion A is derivable from 
these axioms and rules. Note that the converse of {{^)±—t) is derivable from 
(t — I) and ((— 7>)_L— <); by abuse of notation we refer to the corresponding 
equation by the same name. 

Theorem 6.5.7 (Soundness Theorem) h < ^ =^ |= < V'- 

Proof. By a routine induction on the length of proofs. I 

So far, our logic has been presented in a syntax-free fashion so far as the 
elements of the ats are concerned. Now suppose we have an Its A. A-terms 
can be interpreted in A, and for M e A*^, p e Env{A), we can define: 

M, p = {Mjp 0- 



(=-/) 

it -I) 
(A-/) 
{A-E) 

{{^)±- 
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We can extend this to arbitrary terms M G A in the presence of assumptions 
r : Var — t- £ on the variables: 

M, r h>i = WpeEnv{A).p \=A r [m]^ 

where 

p \=j_ r = Vx G Var. px \=yx Tx. 
We write 

M, r 1= = v^. M, r 1=^ (f). 

We now introduce a proof system for assertions of the form M, F h 0. 

Proof System For Program Logic 

(TR) M, r h t 

M, r h M, r h 7/- 



(AND) 
(LEQ) 



M, r h A -0 

r<AM, Ah0(/)<V 



M, r h ^/^ 



(APP) 



Xx.M, r h (0 ^ 

M, r h (0 ^ N,T h 



MN, r h ^ 

Theorem 6.5.8 (Soundness of Program Logic) For all M, T, 0; 

M, r h =^ M, r h 0- I 

The proof is again routine. Note the striking similarity of our program logic 
with type inference, in particular with the intersection type discipline and 
Extended Applicative Type Structures of |CDHL84] . The crucial difference 
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lies in the entailment relation <, and in particular the fact that their axiom 
(in our notation) 

is not a theorem in our logic; instead, we have the weaker ((— This re- 
flects a different notion of "function space" ; we discuss this further in section 
7. 

We now come to the expected connection between the domain logic C and 
the domain D. Once again, the connecting link is the domain equation used 
to define D, and from which C is derived. Since this equation corresponds 
to the type expression a = rec t.{t — >• t)±, it falls within the scope of the 
general theory developed in Chapter 4. The logic C presented in this section 
is a streamlined version of C{a) as defined in Chapter 4. Once we have shown 
that £ is equivalent to C{a), we can apply the results of Chapter 4 to obtain 
the desired relationships between £ ~ £(c") and D ~ D{a). 

Firstly, note that C as presented contains no disjunctive structure, while 
the constructs — appearing in a generate no inconsistencies according 
to the definition of C in Chapter 4. Thus (the Lindenbaum algebra of) C/^{cr), 
the purely conjunctive part of £(cr), is a meet-semilattice, and applying The- 
orem I2.3.4[ we obtain 

Spec (/:(or)/=,, < J=,) ^ Filt(£^(a)/=,,<J=,). 

It remains to show that £ is pre- isomorphic to Ca^ct). We can describe the 
syntax of C/\{a) as follows: 

• ^a(o-): 

::= t I A V I (0)± (0 G ^(fT ^ (t)) 

• La(o- 0-): 

::= t \ (f) A tp \ {(p ^ ^p) (0,?/^ e L((t)). 

Using (()j_ — A) and (— > — t) (i.e. the nuUary instances of (— 5- —A)) from 
Chapter 4, we obtain the following normal forms for Lf^{a): 

::= t I A -0 I (0 ip)^. 
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In this way we see that L C L/^{a), and that each e L^{a) is equivalent to 
one in L. Moreover, the axioms and rules of C are easily seen to be derivable 
in >Ca(c")- For example, ((^)± — t) is derivable, since 

It remains to show the converse, i.e. that for 0, e £: 

For this purpose, we use ((— >-)± — A) and ((^)± — t) to get normal forms for 
C. 

Lemma 6.5.9 (Normal Forms) Every formula in C is equivalent to one 
in NC, where: 

• NC^{/\(t)i :I finite, 0^ e SNC, i E 1} 

iei 

• SNC = {(01 • • • (0fc ^ A)i • • Ox : A; > 0, 0i e NC, l<i<k}. I 

Now by the semantic arguments of Chapter 3, we have 
Lemma 6.5.10 For (f), t/j with 

iei 

C{a) h 0<V' ^ Vje J.£((j) h /\{0; : C{a) h < 0,} < 

Proposition 6.5.11 For (jy^il) G NC, if C{a) h < -0 ^^en there is a proof 
of (f) < ip using only the meet-semilattice laws and the derived rule ((— 

Proof. By induction on the complexity of and ijj, and the preceding 
Lemma. I 

We have thus shown that 

Cia) ^ C^ia) ^ C, 

and we can apply the Duality Theorem of Chapter 4 to obtain 
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Theorem 6.5.12 (Stone Duality) L is the Stone dual ofV: 

(i) V = Filt£ 

(u) iKiV)r = (L/=,</=). 

Corollary 6.5.13 V \= (p < ip C h (f)<ip. 

We can now deal with the program logic over A-terms in a similar fashion. 
The denotational semantics for A in P given in the precious section can be 
used to define a translation map 

(■r :A^A(a). 

The logic presented in this section is equivalent to the endogenous logic of 
Chapter 4 in the sense that 

M, r h M*, r h 

where M G A, F : Var L, (p E L C L{a). We omit the details, which by 
now should be routine. As a consequence of this result, we can apply the 
Completeness Theorem for Endogenous Logic from Chapter 4, to obtain: 

Theorem 6.5.14 V is C-complete, i.e. for all M E A, T : Var — )■ L, 

G L C L{a): 

M, r h ^ M, r |=£ 0. 

In the previous section, we defined an Its over V; and we have now shown 
that V is isomorphic to Filt C. We can in fact describe the Its structure 
over Filt C directly; and this will show how V, defined by a domain equation 
reminiscent of the D^o construction, can also be viewed as a graph model or 
"PSE algebra" in the terminology of |Lon83j . 

Notation. For X C L, is the filter generated by X. This can be defined 
inductively by: 

• X c xt 

• t G Xt 

• 0,V e Xt (pA^pEX^ 
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Definition 6.5.15 The quasi-applicative structure with divergence 

(FiltA- 

is defined as follows: 

m = X = {t} 

• X- y = {ijj : 3(f). {(f) ^ e X k(f) e y}U {t}. 
It is easily verified that in this structure 

and hence that application is monotone in each argument, and Filt C is an 
ats. Thus we have an interpretation function 

[•f : CL(Filt £) ^ Env{F\\t C) Filt C 
which is extended to A(Filt£) by 

iXx.Mlf^'' = {(0 ^ : V' e M'l^^t^]}^- 
We then define 
Definition 6.5.16 

s = lXx.\y.\z.{xz){yz)Y'^^^ 
k = iXx.Xy.xf'^'^. 

Proposition 6.5.17 Filt£ is an Its. Moreover, Filt>C andV are isomorphic 
as combinatory algebras. 

Proof. It is sufficient to show that the isomorphism of the Duality Theorem 
preserves apphcation, divergence and the denotation of A-terms, since it then 
preserves s and k and so is a combinatory isomorphism, and Filt £ is an Its, 
since V is. 

Firstly, we show that apphcation is preserved, i.e. for di,d2 G V: 
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The right to left inclusion follows by the same argument as the soundness of 
(APP) in 16.5.71 For the converse, suppose ip ^ C^dy ^2), C ip = t. By 
the Duality Theorem, each in C corresponds to a unique c (z K{T> with 
£(c) = t''/'. Since application is continuous in D, c C dy ^2, c 7^ ± implies 
that for some h G K{V), fold(<0, [&,c]>) □ di and h □ 4- Let £(6) = t0, 
then (0 — > ^z^)^ G and G C{d2), as required. 

Next, we show that denotations of A-terms are preserved, i.e. for all 
M e A, pe Env{V): 

This is proved by induction on M. The case when M is a variable is trivial; 
the case for application uses For abstraction, we argue by structural 
induction over C. We show the non-trivial case. Let (p, b be paired in the 
isomorphism of the Duality Theorem. Then 

XX.M, p \=T) (0 

M, p[x t-)- b] \=x> 

M, C{)o{p[x^b]) hFiit£ ^ ind. hyp. 

^ M, (£()op)[x^t0] hFilt£ 
\x.M,C{)op |=Fiit£ 

Finally, divergence is trivially preserved, since the only divergent elements 
in V, Filt C are ±, {t}, are these are in bi-unique correspondence under the 
isomorphism of the Duality Theorem. I 

We can now proceed in exact analogy to Chapter 5, and use Stone Duality 
to convert the Characterisation Theorem into a Final Algebra Theorem. 

Definition 6.5.18 We define a number of categories of transition systems: 

ATS Objects: applicative transition systems; morphisms A ^ B: maps 
f : A ^ B satisfying 

LTS The subcategory of ATS of Its and morphisms which preserve applica- 
tion, s and k. 



194 



CLTS The full subcategory of LTS of those A satisfying continuity: 

ip^t, ab 1=^ ip =^ 3^. a (0 V)± & ^ ^> 
and also 

Note that continuity imphes approximabihty. 

Theorem 6.5.19 (Final Algebra) (i) V is final in ATS. 
(a) Let A be an approximable Its. The map 

tA-.A^V 

from (i) is an LTS morphism iff A is continuous. 
(Hi) V is final in CLTS. 

Proof, (i). Given A in ATS, define 
U-.A^V 

by 

= A^fWtC^V 

where r] is the isomorphism from the Stone Duality Theorem. For a E A, 

£(a) = C o T] o C{a) = Co t^(a), 
and so is an ATS morphism; moreover, it is unique, since for d, d! e D: 

C{d) = C{d') =^ ]C{d) = ]C{d') d^d'. 

(ii) . That £,{) is a combinatory morphism iff A is in CLTS is an immediate 
consequence of the definitions; the result then follows from the fact that r] is 
a combinatory isomorphism. 

(iii) . Immediate from (ii). I 

Note that if A is approximable, we have: 

a<''b ^ t^(a)<^t^(6). 

Thus we can regard the Final Algebra Theorem as giving a syntax-free fully 
abstract semantics for approximable ats. However, from the point of view of 
applications to programming language semantics, this is not very useful. In 
the next section, we shall study full abstraction in a syntax-directed frame- 
work, using our domain logic as a tool. 
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6.6 Lambda Transition Systems considered as 
Programming Languages 



The classical discussion of full abstraction in the A-calculus |Plo77t IMil77] is 
set in the typed A-calculus with ground data. As remarked in the Introduc- 
tion, this material has not to date been transferred successfully to the pure 
untyped A-calculus. To see why this is so, let us recall some basic notions 
from |Plo77l[Mn77] . 

Firstly, there is a natural notion of program, namely closed term of ground 
type. Programs either diverge, or yield a ground constant as result. This 
provides a natural notion of observable behaviour for programs, and hence an 
operational order on them. This is extended to arbitrary terms via ground 
contexts; in other words, the point of view is taken that only program be- 
haviour is directly observable, and the meaning of a higher-type term lies in 
the observable behaviour of the programs into which it can be embedded. 
Thus both the presence of ground data, and the fact that terms are typed, 
enter into the basic definitions of the theory. 

By contrast, we have a notion of atomic observation for the lazy A-calculus 
in the absence of types or ground data, namely convergence to weak head 
normal form. This leads to the applicative bisimulation relation, and hence to 
a natural operational ordering. We can thus develop a theory of full abstrac- 
tion in the pure untyped A-calculus. Our results will correspond recognisably 
to those in |Plo77] . although the technical details contain many differences. 
One feature of our development is that we work axiomatically with classes of 
Its under various hypotheses, rather than with particular languages. (Note 
that operational transition systems and "programming languages" such as 
Xi actually are Its under our definitions.) 

Definition 6.6.1 Let A be an Its. V is fully abstract for A if Q{A) = '^{V). 

This definition is consistent with that in |Plo77t IMil77] , provided we accept 
the applicative bisimulation ordering on A as the appropriate operational 
preorder. The argument for doing so is made highly plausible by Proposi- 
tion 16.2.51 which characterises applicative bisimulation as a contextual pre- 
order analogous to those used in [Plo77[ IMil77j . We shall prove 16.2.51 later 
in this section. 

We now turn to the question of conditions under which V is fully ab- 
stract for A. As emerges from jPlo77[ IMil77] , this is essentially a question of 
definability. 
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Definition 6.6.2 An ats A is JC- expressive if for all (f) & JC, for some a e A: 

C{a) = = G : ^ < V"}- 

In the light of Stone Duality, /^-expressiveness can be read as: "all finite 
elements of T> are definable in A" . 

Definition 6.6.3 Let A be an ats. 

• Convergence testing is definable in A if for some c & A, A satisfies: 

- 

- xJJ. cx — 1. 

In this case, we use C as a constant to denote c. 

• Parallel convergence is definable in A if for some p E A, A satisfies: 

- pxi}. 

- =^ pxyij. 

- yj| pxyij. 

- xft" & yft" =^ pxyii . 

In this case, we use P to denote such a p. 

Note that if C is definable, it is unique (up to bisimulation) ; this is not so 
for P. 

The notion of parallel convergence is reminiscent of Plotkin's parallel or, 
and will play a similar role in our theory. (A sharper comparison will be made 
later in this section.) The notion of convergence testing is less expected. We 
can think of the combinator C as a sort of "1-strict" version of K: 

Cxy — K.xy — y if 
Cxyil if xf. 

This 1-strictness allows us to test, sequentially, a number of expressions for 
convergence. Under the hypothesis that C is definable, we can give a very 
satisfactory picture of the relationship between all these notions. 
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Theorem 6.6.4 (Full Abstraction) Let A be a sensible, approximable Its 
in which C is definable. The following conditions are equivalent: 

(i) Parallel convergence is definable in A. 

(a) A is C-expressive. 

(Hi) A is C-complete. 

(iv) is a combinatory embedding with K{T>) C Im t^. 

(v) V is fully abstract for A. 

Proof. We shall prove a sequence of implications to establish the theorem, 
indicating in each case which hypotheses on A are used. 
(i) =^ (ii) (^sensible, C definable). 

Since A is sensible, f2 diverges in A. 
Notation. Given a set Con of constants, A(Con) is the set of A-terms over 
Con. 

For each G NC we shall define terms M^, G -^({P; C}) such that: 



Va e A. 



T^aij- if a 0, 
T^a-^l otherwise. 



The definition is by induction on the complexity of 
(p = /\{(f>i,i ^ • • • {(piM ^ A)x • • 



If I = 0, = n. Otherwise, we define = M{(j),k), where k 

max {ki I i e /}: 

M(0,O) = 

M(0,i + 1) = Xxj.CNM{(f),i) 

where 

j = k-i 

N = ^{iV, :j<A;,} 
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N, = c(r^,,xi)m,,x2)(...(C(r^,,x,-))...)) 
^0 = n 

J]{iv}ue ^ Piv(J]e). 

= Ax. J]{xM^,,...M^.,^ :ie/} 

nwue = CAr(J]e). 

We must show that these definitions have the required properties. Firstly, 
we prove for all 4> ^ NC: 

(1) h.A 

(2) a r<^a^ 
by induction on 0: 

• Mi el. aj {l<]<h) 

^ M^ai . . . afe.JJ. by induction hypothesis (2), 

.-. 0. 

• a by induction hypothesis (1) 

We complete the argument by proving, for all & NC: 

(3) M,^ 1=^ ^ £ h < V 

(4) 1=^ ^ £ h ^ < 

(5) r^M^4 ^ Mv, 

(6) T^M,^^ ^ V- 
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The proof is by induction on n + m, where n, m are the number of sub- 
formulae of (f), respectively. Let 
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(3): 



Vje J.M^Mv,.,...M^.,.^ by(l), 
=^ Mj e J.3ie I. kj < ki k T^^ ,M^.^,^, l<l<kj 

M^^.; 1=^ 1 <l <kj ind. hyp. (5) 

^ C \- ipj^i < (pi^i, l<l<kj ind. hyp. (4) 

^ £ h < 

(4) : Symmetrical to (3). 

(5) : 

^ Vi e 7. 3j e J.ki< kj & T^.^M^._,^, 1<1 <ki 
^ M,/,. , z/^,-,, l<l<ki ind. hyp. (6) 

£ h (f)i^i < ipj^i, I <l <ki ind. hyp. (3) 

^ £ h ^ < 

^ h.A by (1). 

(6) : Symmetrical to (5). 

(ii) =^ (iii) {A approximable) . 

Notation. For each G £, a<^ G A is the element representing 0. Given 
r : Var C, pr ^ Env{A) is defined by 

prx = arx- 



200 



Finally, : Var — > £ is the constant map x i-^ t. 
We begin with some preliminary results. 

(1) A^(p<ip <^ jC\-(P<ip. 

One half is the Soundness Theorem for C For the converse, note that 

=^ £ h < 

(2) yt/j e NC.Tp ^tkab^A''P 30. a (0 -^ip)±&Lb </>■ 
This is shown by induction on ijj. 

• ab^AAi^i^i (1^0) 
\/i & I. ah \=A ipi 

^ Wi e I. 30i. a \=A {4>i ^j)± & h 1=^ 0j by ind. hyp. 

• ab \^A i'tpi ^ • ■ ■ (V'fc A)_L • • •)_L 
=^ a6a^i . . . a^j^JJ- 

30, 01, . . . , 0fc. 6 & a^, 0i (1 < ^ < ^) 

& a 1=^ (0 ^ (01 ^ ■ ■ • (0fc ^ A)x • • Ox, 

since A is approximable 
^ >C h V'i < 0i (1 < i < A;) 
^ £ h (0 ^ (01 ^ • • • (0fe ^ A)x • • ■)± 

< (0 ^ (^1 ^ ■ • ■ (V'fc -> A)± • • ■)± 
=^ a^A{(p^i^)±^b ^A 0- 

(3) VMeA.M,Fh.A0 ^ M,pr 0- 
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The right to left imphcation is clear, since pr T. We prove the converse 
by induction on M. 

X, r <^ A^Tx <(f) 

<^ £ h Fx < by(l) 

The case for Xx.M is proved by induction on 0. We show the non-trivial 
case. 

Xx.M,pr {(P^ij)± 
M,pr[x a^] V' 

M, r[x !->■ (f)] '0 by (outer) induction hypothesis 

\x.M,r ^A (0^^)±- 




(4): 



MN, Pr \=A ^ 

30. {M\j^ ^A (0 ^ i^)^ & [A^li by (2) 
M, r (0 ^ V')± & iV, r h.A ind. hyp. 



(i) X, r[x 0] 1=^ '0 <^=^ £ h < ^0 

(m) Ax.m, r 1=^ (0 ^ ^z-)^ M, r[x ^ 0] 

{ill) MN.V^Ai^ ^ 30.M,rh.A(0^V')- 



4(i) is proved using (1). 
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4(m): 

• Aa;.M,r 1=^ (0 ^ 

Vp.pKr[j;^(/)] ^ M,p^^V' 
since [Ax- Mj^.a = IM];^,^,], 
^ M,r[a;^0] h^^. 

The converse follows from the soundness of C. 
4(m): 

M7V,rKV' ^ MAr,prh^V' by (3) 

^ 30. |M];:^J=^ (0 ^ & [iV];f^ by (2) 
^ 30.M,rh^(0^^)^&7V,rh.A</' by(3) 

We can now prove 

M,r ^^0 ^ M,rh0 

by induction on M, using (4). 
(in) =^ (i). 

Firstly, note that (iii) implies 
^ ^ < -0 <^ £ h < 

One half is the Soundness Theorem. For the converse, suppose ^ |= < 
and £ F < ■0- Then I (0 — >■ ■0)j_ but I F (0 — >■ ■0)±, and so A is not 
>C-complete. 

Now suppose that P is not definable in A, and consider 
= (A ^ ^ A)x)x A(t^(X^ A)x)x, 
^ = (t ^ (t ^ A)x)±. 

Clearly, jC (f) < ijj . However, for a G if a |=^ 0, then xjj- or i/J| implies 
axyJJ-; since P is not definable in A, and in particular, a does not define P, 
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we must have axyJJ. even if xft and yfl, and hence a Thus A \= (p < 

and so by our opening remark, A is not /^-complete. 
(a) =^ {iv) {A approximable) . 

Clearly Im t_A 5 K.{D), by 5.14(ii). Also, since A is approximable, we can 
apply the Characterisation Theorem to deduce that is injective (modulo 
bisimulation). To show that is a combinatory morphism, we argue as in 
16.5.171 Application is preserved by using (2) from the proof of (ii) =^ [in) 
and l6.5.l71 The proof is completed by showing that preserves denotations 
of A-terms, i.e. 

VM e A,p G EnviA).tAlM}p) = Mf^op- 

The proof is by induction on M. Since it is very similar to the corresponding 
part of the proof of 16.5.17] we omit it. The only non-trivial point is that in 
the case for abstraction we need: 

Wa^A.a |=yi =^ M, p[x i— )■ a] |=^ ip 

if and only if 

M,p[x ^ a^] 1=^ ip, 

which is proved similarly to (3) in [ii) =^ {in), 
(iv) =^ (v). 

Assuming (iv), A is isomorphic (modulo bisimulation) to a substructure 
of D. Since formulas in HF are (equivalent to) universal (H^) sentences, 
this yields '^{D) C 55(^). Since /C(-D) C Im t^, to prove the converse it is 
sufficient to show, for if G HF: 

D.p^H =^ Bpo-.War ^ IC{D).D,p^ H. 

Let H = P ^ F, where P = Mil}- A Ajgj^jfT- There are four cases, 
corresponding to the form of F. 

Case 1: F = M ^ N. D,p\^ P ^ F implies D, p |= P and p M C 
A^. Since D is algebraic, D, p ji^ M \Z N implies that for some b G /C(-D), 
b □ {MW and b ^ 1^1^?- Since the expression [M]^ is continuous in p, 
b ^ [M]^ implies that for some pi : Var ^ }C{D), pi □ p and 6 □ [M]^^. 
For all p' with pi C p' □ p, [Nj^, ^{Nj^, and hence 6 g |A^]J?. Again, since 
D is algebraic, 

Z},p|=M4 =^ 3pi : Var ^/C(D).p, □p&D,p, hM4. 
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Now let po = UiG/ Pi '-' Pi- This is well-defined since D is a lattice. Moreover, 
Po ^ P, and Po : Var — )■ )C{D). Since po ^ Pi € /), -D,po |= MjJ|; while 
since po ^ p, -D,po h (j ^ J). Since pi ^ po ^ P, & ^ 
b g [A^]^^, and so D,po^ M ^ N. Thus D,poi^ P ^ F, as required. 

The remaining cases are proved similarly, 
(f) ^» (i) {A sensible). 

Consider the formula 

It is easy to see that ^ |= if iff P is not definable in A. Since P is definable 
in D, the result follows. I 

We now turn to the question of when the bisimulation preorder on an 
Its can be characterised by means of a contextual equivalence, as in |Bar84[ 
[PIoTTHMiITT] . 

Definition 6.6.5 Let A be an Its, X,Y O A. Then X separates Y if: 

VM,iV G A°(F).^]^ M □ AT =^ 
3Pu...,Pke\\X).Ah MPi...Pki^SzAhNPi...Pkt. 

In particular, if X separates A we say that it is a separating set. For 
example, A is always a separating set. 

Proposition 6.6.6 Let A be an approximable Its, and suppose X separates 
Y. Then 

yM,N e \\Y).A^ M ^ N 

WC[-] e A\X).A\= C[M]\^ ^ A^ C[N]\^. 

Proof. Suppose A M ^ N. Then since X separates Y, for some 
Pi, . . . , Pfc G A°(X), A h MP, . . . Pfe^ and A^ NP,... Pkt- Let C[-] = 
[■]Pi • ■ ■ Pfc. For the converse, suppose A \= M ^ N and A \= CMJ|. Since A 
is approximable and A \= C[M] = Xx.C[x]M, for some Ax.C[x] |=^ (0 — >■ 
A)_L and M |=_4 0. Since ^ |= M □ A^, by the Characterisation Theorem 
N 0, and so A |= C[N]l}.. I 

As a first application of this Proposition, we have: 
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Proposition 6.6.7 Let A be a sensible, approximable Its in which C and P 
are definable. Then {C, P} is a separating set. 

Proof. By the Pull Abstraction Theorem, for each (j) E C there is e 
A°({C, P}) such that 

Now 

=^ 30. M |=_4 & 0, since A is approximable 
=^ 301, . . . , 0fe. M (01 ^ • • • (0fe ^ A)x • • 

tN^A (0i^---(0fe^A)x---)± 
^ MM^, . . . M^,^ & ATM^, . . . M^,^. I 

The hypothesis of approximability has played a major part in out work. 
We now give a useful sufficient condition. 

Definition 6.6.8 Let A be an Its, X Q A. Then A is X-sensible if 
VM e A°(X). ^ 1= ^ D 1= M^. 

Here |M]^ is the denotation in D obtained by mapping each a G X to 
t^(a). Note that if we extend our endogenous program logic to terms in 
A°(X), with axioms 

a,rh0 (0e£(a)), 

then the Soundness and Completeness Theorems for D still hold, by a straight- 
forward extension of the arguments used above. 

Proposition 6.6.9 Let A he an X-sensible Its. Then A is X -approximable, 
i.e. 

VM, ATi, . . . , A^fe e A\X). A h MATi . . . iV^^ ^ 30i, . . . , 0^. 
M (01 ^ • • • (0fe ^X)±-- ■)± kNi^A(l>i, l<i< k. 
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Proof. 

• MNi . . . Nki^ 

^ MNi . . . Nki^ 

301, . . . , M ho (01 ^ ■ ■ ■ (0fc -> A)^ ■ ■ ■)!_ 

& Ni \=v 4>i, 1 < < ^, since D is approximable 
301, . . . , M h (01 -> • ■ ■ (0,, ^ A)x ■ ■ ■)± 

^ Ni\- (pi, 1 < i < k, hj extended Completenss 

=^ 301, . . . , 0fc. M 1=^ (01 ^ ■ ■ ■ (0fc ^ \)±-- ■)± 

^ \=A 4>iy 1 < ^ < ^5 by extended Soundness. I 

In particular, if X generates A and A is X-sensible, then A is approx- 
imable. We now turn to a number of applications of these ideas to syntacti- 
cally presented Its, i.e. "programming languages". 

Firstly, we consider the Its i = (A°, eval) defined in section 3 (and studied 
previously in section 2). Since i is 0-sensible by 16.3. ll| and it is generated 
by 0, it is approximable by 16.6.91 Since is a separating set for A°, we can 
apply 16.6.61 to obtain Theorem 16.2.51 

Next, we consider extensions of i. 

Definition 6.6.10 (i) ic is the extension of i defined by 
4 = (A({C}),4-) 

where Jj- is the extension of the relation defined in 16.2.21 with the following 
rules: 

riir 
• CJ|C 



CM^I 

(ii) ip is the extension (A({C}), _Jj._) of i with the rules 



P^P • PM^PM 



PMNij.1 PMiVP 
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It is easy to see that the relation _J|- as defined in both (.q and ^p is a 
partial function. Moreover, with these definitions the C and P combinators 
have the properties required by I6.6.3j while C is definable in £p, by 

CM = PMM. 

Since £c is generated by {C}, and £p by {P}, these are separating sets. 
Thus to apply Theorem I6.6.6[ we need only check that £c is C-sensible, and 
^P P-sensible. 

To do this for ^c■, we proceed as follows. Define 

c = {(A ^ (0 \<j)ecy e Filt C. 

Then it is easy to see that c C t^(C), and by monotonicity and the Soundness 
Theorem, 

lM[c/C]f C |Mf 
for M e A°({C}). Thus 

(*) D h M[c/C]^ =^ D 1= M^. 
Now we prove 

(^) \fM,N e A%{C}). 

Mi^N =^ |M[c/C]]^ = |iV[c/C]]^&D |=iV[c/C]4, 

which by {-k) yields £c \= MJ| =^ D \= Mi}., as required, (irk) is proved by a 
straightforward induction on the length of the proof that MJJ-A^. 
The argument for ip is similar, using 

p = {(A ^ (t ^ (0 ^ 0)±)±)± A (t ^ (A ^ i^)±)±)± cy. 

Altogether, we have shown 

Theorem 6.6.11 (Contextual Equivalence) (i) \fM,N E A°({C}).- 

ec\=M^N ^ VC[-] e A%{C}).£c h C[M]\^ ^ £c h C[N]l^. 

(ii)^M,N E A°({P}).- 

1= M □ ^ VC[-] G A°({P}).£p h C[M]\^ ip 1= C[N]\^. 
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As a further application of these ideas, we have 

Proposition 6.6.12 (Soundness of D) // A is X-sensible, and X sepa- 
rates X in A, then: 

^°{D,X) C Q\A,X). 

Proof. 

=^ VC[-] e A\X). D 1= C[M] □ C[N] 

^ C[M]4 ^ ^ h <^[^]^ 

^ A^ C[M]^ ^ A^ C[N]il- 
=^ A^M QN. 

The argument for formulae of other forms is similar. I 
As an immediate corollary of this Proposition, 

Proposition 6.6.13 The denotational semantics of each of our languages 
is sound with respect to the operational semantics: 

iii) 530(A{C})CcjO(£c,{C}) 
{ill) $>o(A{P})c^J°(£p,{P}). 

We now turn to the question of full abstraction for these languages. Since, 
as we have seen, Ip is P-sensible, and hence sensible and approximablc, and 
C and P are definable, we can apply the Full Abstraction Theorem to obtain 

Proposition 6.6.14 D is fully abstract for Ip. 

We now use the sequential nature of I and Iq to obtain negative full 
abstraction results for these languages. This will require a few preliminary 
notions. 



209 



Definition 6.6.15 The one-step reduction relation > over terms in A is the 
least satisfying the following axioms and rules: 

M > M' 

• {Xx.M)N > M[N/x] 



MN > M'N 

This is then extended to A({C}) with the additional rules 

M> M' 



C{Xx.M) > I • CC > I 



CM > CM' 
We then define 

• ^ = the reflexive, transitive closure of > 

• Mt = 3{M„}. M = Mo & Vn. M„ > M„+i 

• M:^ = M ^ dom> 

• Mi = M:$>NkN:^. 

It is clear that > is a partial function. Note that these relations are being 
defined over all terms, not just closed ones. For closed terms, these new 
notions are related to the evaluation predicate _J|_ as follows: 

Proposition 6.6.16 For M,N eA^ (A°({C}); 

(i) Mi}.N ^ MIN 
(ii) Mt ^ Mt- 

We omit the straightforward proof. The following proposition is basic; it 
says that "reduction commutes with substitution" . 

Proposition 6.6.17 M > iV ^ M[P/x] > N[P/x] . 

Proof. Clearly, it is sufficient to show: 

M > N ^ M[P/x] > N[P/x]. 

This is proved by induction on M, and cases on why M > N. We give one 
case for illustration: 

M = (At/.Mi)M2 > N = Mi[M2/y]. 
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We assume x ^ y\ the other sub-case is simpler. 



M[P/x] 



> 



{\y.M,\P/x])M^[P/x] 
M^[P/x][M2[Plx\ly] 
M,[M2/y][P/x] 
N[P/x]. 



by |Bar84l 2.1.16] 
I 



Now we come to the basic sequentiahty property of £ from which various 
non-definabihty results can be deduced. 

Proposition 6.6.18 For M G A, exactly one of the following holds: 
(z) Mt 

(ii) M > Xx.N 
{in) M :^xNi...Nk{k>0). 

Proof. Since > is a partial function, the computation sequence beginning 
with M is uniquely determined. Either it is infinite, yielding (i); or it termi- 
nates in a term N with N ^, which must be in one of the forms {ii) or {Hi). 

As a consequence of this proposition, we obtain 

Theorem 6.6.19 C is not definable in £. Moreover, D is not fully abstract 
for i. 

Proof. We shall show that i satisfies 



Indeed, consider any term M G A . Either M-f[, in which case MQ-fi and 
M{Kn)i[, or MJj.. In the latter case, by (Jj-?]) we have M \= M = Xx.Mx. 
Thus without loss of generality we may take M to be of the form Xx.M' , 
with FV{M) C {x}. Now applying the three previous propositions to M', 



we see that in case (z) of 16.6. 18^ (Aa;.M')f2f|' and (Ax.M')(Kf2)f|'; in case (ii), 
{\x.M')n^ and {\x.M'){¥.n)\^; finally in case (m), if A; = 0, Xx.M' = I; 
while if > 0, {Xx.M')n^ and {Xx.M'){Kn)il. Since C ^ I, Cflil and 
C(Kf2)-l|, this shows that C is not definable. Moreover, (^^r) implies 

(^) xciii L x{Kn)ij. ^ x = i 
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which is not satisfied by D, since C is definable in D, and taking x = C 
refutes (^); hence D is not fully abstract for £. I 

Note that since C is not definable in i, we could not apply the Full Ab- 
straction Theorem. By contrast, to show that D is not fully abstract for ic, 
it suffices to show that P is not definable. For this purpose, we prove a result 
analogous to 16.6.181 

Proposition 6.6.20 For M G A({C}), exactly one of the following condi- 
tions holds: 

(ii) M > Xx.N 
(Hi) M > C 

(iv) M > C(C . (C 3:A^i . . . Nk) . . .)Pi . . . Pm {n, k,m>0) 

n 

Proof. Similar to 16.6.181 I 

Theorem 6.6.21 P is not definable in 1^; hence D is not fully abstract for 

Proof. We show that £c satisfies 

x(Kri)ri^&a;ri(Kri)^ ^ a;riri^, 

and hence, as in the proof of the Full Abstraction Theorem, P is not de- 
finable in Iq. As in the proof of 16.6.19"! without loss of generality we con- 
sider closed terms of the form \y1.\y2.M. Assume {Xyi.Xy2-M)(Kfl)fl\}. 
and {Xyi.\y2.M)n(Kfl)\}-. Applying I6.6.20[ we see that case (i) is impos- 
sible; cases (a) and (Hi) imply that {\yi.Xy2-M)Qni}-; while in case (iv), 
if a; = yi, then {Xyi.Xy2-M)Q(Kn)-fi, contra hypothesis; and if x = y2, 
{Xyi.Xy2.M)(Kn)n-fi, also contra hypothesis. Thus case (iv) is impossible, 
and the proof is complete. I 

For our final non-definability result, we shall consider a different style of 
extension of i, to incorporate ground data. We shall consider the simplest 
possible such extension, where a single atom is added. This corresponds to 
the domain equation 
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(where + is separated sum), which is indeed an extension of our original 
domain, in the sense that D is a retract of D^. D^, is still a Scott domain 
(indeed, a coherent algebraic cpo), but it is no longer a lattice; we have 
introduced inconsistency via the sum. 

This extension is reflected on the syntactic level by two constants, -k and 
C. We define 

4 = (A°({^, C}),4-) 

with _4- extending the definition for C. as follows: 



C^C 

CM^T 

M4C 



(T = Xx.Xy.x) 



CM4T 
CM^F 



;F = Xx.Xy.y) 



We see that the C combinator introduced here is a natural generalisation 
(not strictly an extension) of the C defined previously in the pure case. Of 
course, C corresponds to case selection, which in the unary case — lifting 
being unary separated sum — is just convergence testing. 

A theory can be developed for £^ which runs parallel to what we have 
done for the pure lazy A-calculus. Some of the technical details are more 
complicated because of the presence of inconsistency, but the ideas and re- 
sults are essentially the same. Our reasons for mentioning this extension are 
twofold: 



1. To show how the ideas we have developed can be put in a broader 
context. In particular, with the extension to the reader should be 
able to see, at least in outline, how our work can be applied to systems 
such as Martin-Lof's Type Theory under its Domain Interpretation 
|DNPS83] . and (the analogues of) our results in this section can be used 
to settle most of the questions and conjectures raised in |DNPS83] . 
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2. To prove an interesting result which clarifies a point about which there 
seems to be some confusion in the literature; namely, what is parallel 
or! 



The locus classicus for parallel or in the setting of typed A-calculus is 
|Plo77] . But what of untyped A-calculus? In |Bar84t p. 375], we find the 
following definition: 



FMN 



I if M or N is solvable, 

unsolvable otherwise 



which (modulo the difference between the standard and lazy theories) corre- 
sponds to our parallel convergence combinator P. The point we wish to make 
is this: in the pure A-calculus, where (in domain terms) there are no inconsis- 
tent data values (since everything is a function), i.e. we have a lattice, parallel 
convergence does indeed play the role of parallel or, as the Full Abstraction 
Theorem shows. However, when we introduce ground data, and hence incon- 
sistency, a distinction reappears between parallel convergence and parallel 
or, and it is definitely wrong to confiate them. To substantiate this claim, we 
shall prove the following result: even if parallel convergence is added to i^, 
parallel or is still not definable. This result is also of interest from the point 
of view of the fine structure of definability; it shows that parallelism is not 
all or nothing even in the simple, deterministic setting of i^. 

Definition 6.6.22 £^p is the extension of with a constant P and the rules 

A^^ 



P^P • PM^PM 



PMA^^I PMA^^I 



Definition 6.6.23 Let i' be an extension of We say that parallel or is 
definable in i' if for some term M 

{i) M(Kn)n, Mn(Kfl) converge to abstractions 
(ii) M -k-kl^-k . 

Theorem 6.6.24 Parallel or is not definable in i^p. 
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Proof. We proceed along similar lines to our previous non-definability re- 
sults. Firstly, we extend our definition of > as follows: 

• constructor(M) = M is an abstraction, P, C or 

• constructor(M) k M ^ ^ CM > T 

• > F 

M > M' 
CM > CM' 

• constructor(M) or constructor(A^) =^ PMN > I 

M > M' N > N' 
PMN > PM'N' 

With these extensions, > is still a partial function, and l6.6.16| 16.6. 17] still 
hold. For each M G A({7^r, C, P}), one of the following two disjoint conditions 
must hold: 

• Mt 

• M NLN ;^ . 

We now define T to be the set of all terms M in A({T<r, C, P, _L}), where 
_L is a new constant, such that: 

. FV{M)C{y,,y,} 

• M contains no >-redex. 

Note that T is closed under sub-terms. 

Lemma A 

For all M eT: 

M[Kn/yun/y2]ia & M[n/y,,Kn/y2]ib & M[^/y,,^/y2]lc 
=^ a = b = c = -k OT -k ^ {a, b, c} . 
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Proof. By induction on M . Since terms in T contain no >-redexes, M 
must have one of the following forms: 





xNi...Nk {x e {yi,y2},k> 0) 


(a) 


i<Ni... Nk {k > 0) 


{Hi) 


Xx.N 


{iv) 


C (v) P (vi) PN 


{vii) 


CNNi...Nk {k>0) 


via) 


PMiM2Ni...Nk (k > 0) 


(ix) 


±N,...Nk {k>Q) 



Most of these cases can be disposed of directly; we deal with the two 
which use the induction hypothesis. 

(vii) . Firstly, we can apply the induction hypothesis to N to conclude 
that N[ci/yi, C2/1/2] converges to the same result (i.e. either an abstraction or 
T*r) for all three argument combinations ci, C2; we can then apply the induction 
hypothesis to either NiN3...Nk or N2N3 . . . Nk. 

(viii) . Under the hypothesis of the Lemma, we must have 



for all three argument combinations Ci, C2; hence we can apply the induction 



Lemma B 

Let M e A ({^, C, P}), with FV{M) C {7/1,7/2}- Then for some M' e T, for 



allP,g e A°({^,C,P}): 

M[P/y^,Q/y2]i* ^ M'[P/y^,Q/y2]i-^. 



Proof. Given M, we obtain M' as follows; working in an inside-out fashion, 
we replace each sub-term N by: 



(PMiM2)[ci/|/i,C2/|/2]P 



hypothesis io Ni . . . Nk- I 



± ifTVt- I 
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Now suppose that we are given a putative term in A {{-k, C, P}) defining 
parallel or. As in the proof of 16.6.21] we may take this term to have the 
form Xyi.Xy2-M. Applying Lemma B, we can obtain M' G T from M; but 
then applying Lemma A, we see that Xyi.Xy2-M' cannot define parallel or. 
Applying Lemma B again, we conclude that Xyi.Xy2.M cannot define parallel 
or either. I 
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6.7 Variations 



Throughout this Chapter, we have focussed on the lazy A-calculus. We round 
off our treatment by brieffy considering the varieties of function space. 

1. The Scott function space 

— 7- i?], the standard function space of all continuous functions from D to 
E, which we treated in Chapters 3 and 4. In terms of our domain logic £, 
we can obtain this construction by adding the axiom 

(1) t<{t^ t). 

Note that with (1), >C collapses to a single equivalence class (corresponding 
to the trivial one-point solution oi D = [D ^ D]). For this reason, Coppo 
et al. have to introduce atoms in their work on Extended Applicative Type 
Structures |CDHL84j . 

2. The strict function space 

[D — E], all strict continuous functions. This satisfies (1), and also 

(2) (t^x0)</ m- 

3. The lazy function space 

[D —7- E]±, which satisfies neither (1) nor (2). This has of course been our 
object of study in this Chapter. 

4. The Landin-Plotkin function space 

[D — j-^ E]^, the lifted strict function space. This satisfies (2) but not (1). 
The reason for our nomenclature is that this construction in the category of 
domains and strict continuous functions corresponds to Plotkin's [D E] 
construction in his (equivalent) category of predomains and partial functions 
|Plo85] . Moreover, this may be regarded as the formalisation of Landin's 
applicative-order A-calculus, with abstraction used to protect expressions 
from evaluation, as illustrated extensively in |Lan64t ILan65t IBur75j . 
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The intriguing point about these four constructions is that (1) and (2) 
are mathematically natural, yielding cartesian closure and monoidal closure 
in e.g. CPO and CPO_l respectively (the latter being analogous to partial 
functions over sets); while (3) and (4) are computationally natural, as argued 
extensively for (3) in this Chapter, and as demonstrated convincingly for (4) 
by Plotkin in his work on predomains |Plo85] . Much current work is aimed 
at providing good categorical descriptions of generalisations of (4) |Ros86[ 
IRR87t Mog86 Mog87[ |Mog| ; it remains to be seen if a similar programme 
can be carried out for (3). 
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Chapter 7 
Further Directions 



Our development of the research programme adumbrated in Chapter 1 has 
been fairly extensive, but certainly not complete. There are many possibili- 
ties for extension and generalisation of our results. In this Chapter, we shall 
try to pick out some of the most promising topics for future research. 

1. A first, very basic extension would be to rework the material of Chap- 
ters 3 and 4 for SFP rather than SDom. In terms of the meta- 
language, the extension would be to incorporate the Plotkin power- 
domain and the associated term constructions. Our treatment of the 
Plotkin powerdomain in a specific instance in Chapter 5 should con- 
vey the general flavour of what is involved. The extension to SFP is 
conceptually straightforward; we remain within the sphere of coher- 
ent spaces. However, there are some technical intricacies which arise 
with the meta-predicates, to do with the fact that the identification 
of primes is more subtle in the SFP case; this should be clear from 
our work on normal forms in Chapter 5 section 4. These intricacies 
are negotiable, and indeed I claim that all our work in this thesis does 
carry over (a detailed account, taking Chapters 3 and 4 of the present 
thesis as its starting point, is being worked out by a student of Glynn 
Winskel's jZha86j ). 

2. All our work in this thesis has been based on Domain Theory, sim- 
ply because this is the best established and most successful foundation 
for denotational semantics, and a wealth of applications are ready to 
hand. However, our programme is really much more general than this. 
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Any category of topological spaces in which a denotational metalan- 
guage can be interpreted, and for which a suitable Stone duality exists, 
could serve as the setting for the same kind of exercise as we carried 
out in Chapter 4. As one example of this: the main alternatives to 
domains in denotational semantics over the past few years have been 
compact ultrametric spaces |Niv81t ldBZ82t IMat85j . These spaces in 
their metric topologies are Stone spaces, and indeed the category of 
compact ultrametric spaces and continuous maps is equivalent to the 
category of second- count able Stone spaces |Abr] . A restricted deno- 
tational metalanguage comprising product, (disjoint) sum and power- 
domain (the Vietoris construction |Joh85t Smy83b| , which in this con- 



text is induced by the Hausdorff metric |Niv81t EBZ821 [Mat85j ) . can be 
interpreted in Stone, together with the corresponding sub-language of 
terms (with guarded recursion, leading to contracting maps, and hence 
unique fixpoints |Niv81t ldBZ82t IMat85] ). Under the classical Stone 
duality as expounded in Chapter 1, the corresponding logical struc- 
tures are Boolean algebras, and a classical logic can be presented for 
this metalanguage in entirely analogous fashion to that of Chapter 4. 
Since the meta-language is rich enough to express a domain equation 
for synchronisation trees, study along the same lines as that of 

Chapter 5 can be carried through. Moreover, there is a satisfying rela- 
tionship between the Stone space of synchronisation trees (which is the 
metric topology on the ultrametric space constructed in |dBZ82] ). and 
the corresponding domain studied in Chapter 5; namely, the former 
is the subspace of maximal elements of the latter. This is in fact an 
instance of a general relationship, as set out in |Abr] . The important 
point here is that our programme is just as applicable to the metric- 
space approach to denotational semantics as to the domain-theoretic 
approach. 

A further kind of generalisation would be to structures other than topo- 
logical spaces. Many Stone-type dualities in such alternative contexts 
are known; e.g. Stone-Gelfand-Naimark duality for C*-algebras, Pon- 
trjagin duality for topological groups, Gabriel-Ulmer duality for lo- 
cally finitely presented categories, etc. |Joh82] . Particularly promising 
for Computer Science applications are the measure-theoretic dualities 
studied by Kozen [Koz83j as a basis for the semantics and logic of 
probabilistic programs. A very interesting feature of these dualities is 
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that whereas the purely topological dualities have the Sierpinski space 
O as their "schizophrenic object" (see |Joh82t Chapter 6]), i.e. the 
fundamental relationship P \= cj) takes values in {0, 1}, the measure- 
theoretic dualities take their "characters" in the reals; satisfaction of a 
measurable function by a measure is expressed by integration |Koz83] . 
The richer mathematical structure of these dualities should deepen our 
understanding of the framework. Furthermore, there are intriguing 
connections with Lawvere's concept of "generalised logics" |Law73] . 

4. The logics of compact-open sets considered in this thesis have been very 
weak in expressive power, and are clearly inadequate as a specification 
formalism. For example, we cannot specify such properties of a stream 
computation as "emits an infinite sequence of ones". Thus we need a 
language, with an accompanying semantic framework, which permits 
us to go beyond compact-open sets. A first step would be to allow the 
expression of more general open sets, e.g. by means of a least fixed 
point operator on formulae permitting the finite description of 
infinite disjunctions ViGij*^*(/)- '^^^^ would have the advantage of not 
requiring any major extension of our semantics, but would still not be 
sufficiently expressive for specification purposes, as the above example 
shows. What is needed is the ability to express infinite conjunctions, 
e.g. by greatest fixpoints z/p.0, corresponding to /\i;^^4>\t)- Such an 
extension of our logic would necessarily take us beyond open sets. An 
important topic for further investigation is whether such an extension 
can be smoothly engineered and given a good conceptual foundation. 

Another reason for extending the logic is the tempting proximity of 
locale theory to topos theory. Could this be the basis of the junction 
between topos theory and Computer Science which many researchers 
have looked for but none has yet convincingly demonstrated? We must 
leave this point unresolved. If there is a natural extension of our work 
to the level of topos theory, we have not (yet) succeeded in finding it. 

5. Another variation is to change the morphisms under consideration. 
Stone dualities relating to the various powerdomain constructions (i.e. 
dualities for multi-functions rather than functions) are interesting for a 
number of reasons: they generalise predicate transformers in the sense 
of Dijkstra |Dij76[ Smy83b] ; dualities for the Vietoris construction pro- 



vide a natural setting for intuitionistic modal logic, with interesting dif- 
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ferences to the approach recently taken by Plotkin and Stirhng; while 
there are some remarkable self- dualities arising from the Smyth power- 
domain |Vic87] . These turn out, quite unexpectedly, to provide a model 
for Girard's classical linear logic |Gir87] : more speculatively, they also 
suggest the possibility of a homogeneous logical framework in which 
programs and properties are interchangeable. This may turn out to 
provide the basis for a unified and systematic treatment of a number 
of existing ad hoc formalisms |GS86t IWinSS] . 

6. Turning now to the first of our case studies, a number of interest- 
ing further developments suggest themselves. Firstly, from the results 
of Chapter 5, we can define a fully abstract denotational semantics 
for sees in our denotational metalanguage, and faithfully interpret 
Hennessy-Milner logic into our domain logic. Thus we should automat- 
ically get a compositional proof theory for HML. It would be particu- 
larly worthwhile to demonstrate this in detail, as the construction of 
compositional proof systems for HML by Stirling |Sti87] and Winskel 



|Win85j is one of the most impressive examples to date of the exercise 
of ad hoc ingenuity in the design of program logics. 

Other useful extensions of our work would be to equivalences other then 
bisimulation (hard); and to countable non-determinism, using Plotkin's 
powerdomain for countable non-determinism |Plo82] . An interesting 
point about this construction is that we lack a good representation for 
it, and a logical description might help. 

7. Our development of the lazy A-calculus represents no more than a be- 
ginning. An extensive study is being undertaken by Luke Ong; anyone 
interested in pursuing the subject further is strongly recommended to 
read his forthcoming thesis (Imperial College, University of London; 
expected 1988). 

8. Some more general points concerning the two case studies. Firstly, 
the operational models we study — labelled transition systems in Chap- 
ter 5 and lambda transition systems in Chapter 6 — are almost derived 
in a systematic way from our domain equations. Namely, a labelled 
transition system is a map 

Proc — > p((Act X Proc) U {±}) 
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i.e. a coalgebra of the functor (on Set) 

X ^ p((Act X X) U {±}). 

Similarly, an applicative transition system is a coalgebra of the Set- 
functor 

X ^{X ^X)U 

Since Act xVU{l.} can be put in natural bijection with X^aGAct 
(T> ^ V) U {±} with (T> — i- V)^, we see that our domain equations 
give rise to essentially the same functors, but over domains rather than 
sets. Moreover, because of the limit-colimit coincidence in Domain 
theory |SP82] . we can take the initial solution of a domain equation 
(with respect to embeddings) as the final coalgebra (with respect to 
projections). Thus our results can in some sense be seen as concerning 
the interpretation and "best approximation" of Set-based structures 
in topological ones. Clearly some general theory is called for here. 

9. Finally, one of our aims in Chapters 5 and 6 was to place the study of 
functional languages and concurrency on as similar a footing as possi- 
ble. Much remains to be done here, although we hope to have made a 
useful first step. 
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